Re: [Bug-gnuzilla] GNU LibreJS won't be removed from GNU IceCat
On 2018年02月22日 21:50, bill-auger wrote: > so its not really accurate to say that libreJS is inherently ineffective > - it is just not widely adopted enough to realize its potential - if it > becomes significantly popular enough for people to start gaming and > cheating it then surely it would also become more robust over time as > there would be more effort put into its development and maintenance > (e.g. a volunteer team of license checking monkeys) I think this is wishful thinking. What could you possibly do, maintain a giant list of websites that are mislabeling their proprietary scripts as libre? And ultimately, that's not the real problem. The real problem is that LibreJS solves nothing. It's blocking some scripts, but not all. As I argued here: https://onpon4.github.io/articles/kill-js.html *Even if* these websites were serving 100% libre JavaScript, it is still, from a practical standpoint, impossible for the user to reasonably exercise freedom 1. You can't make any Web browser that currently exists run modified JavaScript code (unless you manage to convert it to user script code, which is a different syntax), and while you can audit the script, the server is able to change to another script without notice. The problem here is that JavaScript, as it is used on Web pages, is, *fundamentally*, incompatible with software freedom. That's why I have proposed that the only way any of that JavaScript code can *ever* be acceptable is with a fundamental rehaul of the way our browsers handle JavaScript code, and such a rehaul would take a whole lot of work. So I really think it would be easier to just fight against JavaScript *entirely*. Create a browser that shows the merits of a scriptless Web. Advertise it as non-exploitable, because if it doesn't run scripts from random untrusted sources, it is. Show people that this world, where just navigating to the wrong Web page can potentially screw up your entire system, is a world we don't have to live in. Show them that Web pages don't have to take centuries to load. Show them that we don't have to deal with annoying pop-up messages and bizarre, unexpected behavior when clicking on a link. And what's more, show them that we don't have to live in a world where not updating your Web browser every week leaves you vulnerable. I truly believe we can change the Web in this way. Many websites are already there. But we need to actually be working toward it, as a group, with a good browser backing this up. Exactly *what* JavaScript code is being executed is merely a distraction. Let's band together and solve the real problem, right here and now. Some time ago, I offered a bounty to anyone who would write a certain extension. I think it was $50? I don't remember for sure. But I am still offering that bounty, so either $50, or if it was larger, what I said back then. The extension I am offering a bounty for is one that does the following: 1. Blocks *all* JavaScript code, regardless of what it does. 2. Adds a "danger button" which allows all JavaScript code to execute for the current page,* for a very short period of time (e.g. 5 minutes), and then reloads the page. 3. (Optional, +$10) Adds a "super danger button" which allows all JavaScript code to execute for any page on the current domain for the remainder of the session. A second click on this button would revert this. 4. (Optional, +$15) Offers LibreJS's complaint feature, with the default suggested complaint requesting the webmaster to remove all JavaScript dependencies from their website. * Note that this would be based on what the current page's source is, not where the JavaScript files themselves come from, so this is completely different from what NoScript does. For example, if foo.com/example.html uses scripts from its own domain but also scripts from bar.com and baz.net, *all* of these scripts would execute normally with the "danger button", but *only* if the user is on foo.com/example.html. I think such an extension would serve the purpose of killing JavaScript very well because it would be a browser people would actually use (it is not terribly inconvenient; all websites are still usable), but it would cause no JavaScript to be the default. Users would be lured into the extension by the fact that it keeps your browser secure, and they would be won over by the fact that most pages work *better* without pressing the "danger button". Watching a lot of YouTube videos? Applying for a job? Shopping at Ebay? No worries; press the "Super Danger Button" and be on your way. With both optional features, that would be $75 for anyone willing to write this. -- Julie Marchant https://onpon4.github.io signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] GNU LibreJS won't be removed from GNU IceCat
On 2018年02月22日 03:22, Ivan Zaigralin wrote: > What I mean by drive-by-downloading, here we get philosophical. How free is > the code which is only meant to be executed once? No one audits > 99% of this > code, and it's all in constant flux. I would even argue, there's no hope it > can ever be audited. There are already (I am sure) websites that generate > brand-new code for every visit, making this assertion literal. How do you > audit all that code? With an automated tool? An algorithm can't even solve a > halting problem, let alone audit itself out of a paper bag. > > Now put yourself in the shoes of an average web user. Average here is the key > word. Their freedoms to understand and modify the JavaScript code have all > but > completely eroded. In a traditional software distribution market they can > hire > experts to explain and fix the software for them. This is utterly > unaffordable > if every click generates new software. > > And now back to drive-by-downloading, which is important because it is > perhaps > the source of the problem. All of this is happening, as we all know very > well, > because average users are willing to run software from any source, as long as > it doesn't make their computer explode right away. They don't even understand > the basic difference between downloading data versus downloading and > executing > an arbitrary algorithm. When a blog, or a news site, or a government website > won't load because you didn't let it run an arbitrary algorithm on your > computer, that's crazy, just crazy. And the norm. These users who leave all > JavaScript on, they already buried 2 of their freedoms, and the boilerplate > license on the disposable code can't change that. They need to be told to > boycott sites which require JS to function, and to demand legislation which > would require something like HTML+CSS web fronts from commercial and > government entities. It is not at all helpful, in my opinion, to > differentiate > between varieties of JavaScript sources, because none of them should be > downloaded in the first place. Most importantly, web masters who want a free > web should stop using JavaScript, and they should be transitioning right now, > and not stop until there's nothing left for LibreJS to mark as free. All > desired JavaScript functionality can be trivially recreated via a combination > of free browser plugins and calls to free and standard libraries. The drive- > by-download culture, on the other hand, will plunge us deeper into the sea of > disposable software. I agree with this 100%. I've written about it here; I suggest for anyone who hasn't already to give it a read: https://onpon4.github.io/articles/kill-js.html -- Julie Marchant https://onpon4.github.io signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] GNU LibreJS won't be removed from GNU IceCat
On 2018年02月21日 22:02, b...@iinet.net.au wrote: > Hmmm...If that'd be the case, is it well worth considering "NoScript" > and "HTTPS Everywhere" as part of the default extensions suite? I still think shipping with JavaScript disabled entirely by default would be preferable. Perhaps add an extension with a "danger button" that allows all scripts on a particular page to run (like LibreJS's similar option, instead of being like what NoScript does). Note regarding NoScript: it would have to be modified, since its default settings whitelist dozens of websites serving proprietary JavaScript code. Anyway, I wouldn't see much point. -- Julie Marchant https://onpon4.github.io signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] I am really getting sick of this. Goodbye
I'm afraid I won't argue with unsubstantiated speculation. However, if you would like to answer the questions I have asked, that will get us on track toward a proper debate based on evidence. -- Julie Marchant https://onpon4.github.io On Mar 24, 2017 6:41 PM, awake...@tutanota.de wrote: > > I see what you're doing here, you're playing game of questions with me and > being very evasive while pretending to have no idea what I am talking about, > while also simultaneously giving yourself the unfounded excuse to back up > your own flawed argument that "I'm wrong" for "no mentioned facts or reasons" > without actually providing evidence that supports your claims against me even > though I'm the one always pointing out the truth because I want people to > wake up. > How convenient that you never show my previous full reply in your messages to > me so that people find it more difficult to follow this wild goose chase back > and forth you are trying to play me with. I said it before and I'll say it > again, if you don't like me for any reason, mark my emails as spam. I > honestly do not enjoy our interactions and I politely request that you Julie, > personally mark me as spam once and for all. But I know you wont, because > that doesn't accomplish your goals does it? I'm not sorry and nobody is going > to shut me up. I love helping people so please I kindly ask that you prove me > wrong and don't message me again. > > 24. Mar 2017 09:01 by onp...@riseup.net: > >> On 03/24/2017 07:09 AM, awake...@tutanota.de wrote: >>> >>> I point out your missteps in logic >> >> >> Where did you do this, and what "missteps in logic" are you talking about? >>> >>> you suddenly shift your argument if I may call it that to the opposite of >>> what you appeared to originally intend to say. >> >> >> What did you perceive me as originally intending to say, and what part >> of my message made you perceive that? >>> >>> you don't actually want to provide a logical argument that shows any facts >>> and reasons why what I said wasn't good enough for you. >> >> >> I didn't respond to your email to argue against it. I responded to your >> email to ask you to stop flooding my mailbox, as at the time you had >> sent eight emails in quick succession for no good reason. >> >> I did of course argue against what you were saying, but it's a very >> simple argument that you could easily refute if you are on the side of >> truth: >> >> 1. There is no evidence to support your hypothesis. >> >> 2. There is no reasonable motivation for any known party to do what you >> suggest. >> >> I can't prove that there isn't a conspiracy going on any more than you >> could prove that the tooth fairy isn't real. But you can either show >> evidence that supports your hypothesis, or at least start by showing a >> credible motivation someone could have to want to sabotage IceCat and >> not, say, Tor Browser. >>> >>> I love it how everyone is mentioning TOR but they all fail to mention the >>> important details like how extremely slow it is, the lack of functionality, >>> and how many times it has been compromised. thanks for the suggestion but >>> I'm very proud of what the creators of icecat have done. >> >> >> Matters of convenience like how fast the browser don't matter in this >> discussion, because if a malicious party wants to sabotage users' >> privacy, they will go for the more popular option no matter how >> convenient it is for the users, and given the lack of attention IceCat >> has gotten anywhere outside of our little circle and the boost in >> attention Tor Browser has gotten from the Snowden revelations, Tor >> Browser appears to be more popular. If you have any evidence to show >> that IceCat is actually more popular than Tor Browser, please feel free >> to present it. >> >> In what way is IceCat more secure than the Tor Browser Bundle? These are >> the facts I can see: >> >> 1. IceCat is frequently behind its upstream, Firefox, on updates. >> >> 2. IceCat includes LibreJS, which selectively stops scripts from >> executing based on the presence or absence of a license statement in a >> particular format. This means that any malicious party can convince >> IceCat to execute JavaScript simply by lying about the license, or >> (because the JavaScript infrastructure doesn't enable forking of a >> website's JavaScript code, and LibreJS doesn't even support blocking any >> scripts it detects as libre) simply making the script libre and keeping >> in the malicious functionality. I explained this in my essay, >> "Proprietary JavaScript: Fix, or Kill?"[1] Therefore, LibreJS cannot >> reliably be protective ag-- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] I am really getting sick of this. Goodbye
On 03/24/2017 07:09 AM, awake...@tutanota.de wrote: > I point out your missteps in logic Where did you do this, and what "missteps in logic" are you talking about? > you suddenly shift your argument if I may call it that to the opposite of > what you appeared to originally intend to say. What did you perceive me as originally intending to say, and what part of my message made you perceive that? > you don't actually want to provide a logical argument that shows any facts > and reasons why what I said wasn't good enough for you. I didn't respond to your email to argue against it. I responded to your email to ask you to stop flooding my mailbox, as at the time you had sent eight emails in quick succession for no good reason. I did of course argue against what you were saying, but it's a very simple argument that you could easily refute if you are on the side of truth: 1. There is no evidence to support your hypothesis. 2. There is no reasonable motivation for any known party to do what you suggest. I can't prove that there isn't a conspiracy going on any more than you could prove that the tooth fairy isn't real. But you can either show evidence that supports your hypothesis, or at least start by showing a credible motivation someone could have to want to sabotage IceCat and not, say, Tor Browser. > I love it how everyone is mentioning TOR but they all fail to mention the > important details like how extremely slow it is, the lack of functionality, > and how many times it has been compromised. thanks for the suggestion but I'm > very proud of what the creators of icecat have done. Matters of convenience like how fast the browser don't matter in this discussion, because if a malicious party wants to sabotage users' privacy, they will go for the more popular option no matter how convenient it is for the users, and given the lack of attention IceCat has gotten anywhere outside of our little circle and the boost in attention Tor Browser has gotten from the Snowden revelations, Tor Browser appears to be more popular. If you have any evidence to show that IceCat is actually more popular than Tor Browser, please feel free to present it. In what way is IceCat more secure than the Tor Browser Bundle? These are the facts I can see: 1. IceCat is frequently behind its upstream, Firefox, on updates. 2. IceCat includes LibreJS, which selectively stops scripts from executing based on the presence or absence of a license statement in a particular format. This means that any malicious party can convince IceCat to execute JavaScript simply by lying about the license, or (because the JavaScript infrastructure doesn't enable forking of a website's JavaScript code, and LibreJS doesn't even support blocking any scripts it detects as libre) simply making the script libre and keeping in the malicious functionality. I explained this in my essay, "Proprietary JavaScript: Fix, or Kill?"[1] Therefore, LibreJS cannot reliably be protective against any sort of malicious JavaScript code; its only protective effect is "security through obscurity". 3. When using Tor, IceCat blocks all requests for things like images, unlike Tor Browser. This makes it possible for any website to distinguish between Tor Browser and IceCat simply by embedding an image onto the Web page and seeing whether or not the image was sent at the time the Web page was loaded. 4. Other than LibreJS, which (as I explained) can easily be subverted, IceCat offers no protection against malicious scripts except for what is built into Firefox already. In particular, NoScript is not included. Even when it allows all scripts to execute, NoScript provides certain security features, such as protection against XSS attacks, which Tor Browser benefits from. 5. IceCat and Tor Browser share the same upstream, Firefox ESR. This means that, all other factors being equal, they should share the same vulnerabilities. The least vulnerable of the two should be the one that gets updated most promptly and most frequently, and that is Tor Browser. Put together, all of these facts paint a picture that Tor Browser is not only more private and more secure than IceCat, but substantially so. If you have any evidence to the contrary, please show me what that evidence is. [1] https://onpon4.github.io/other/kill-js/ -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] I am really getting sick of this. Goodbye
On 03/19/2017 02:34 PM, awake...@tutanota.de wrote: > If IceCat isn't important in the grande scheme of things, then what > browser may you suggest other security and privacy conscious users use > in the place of IceCat, god forbid it wasn't a choice anymore? I was talking about people who *don't* care about these issues, and proprietary software developers. As in, IceCat is *tiny* compared to e.g. Google Chrome or Safari. As in, it's ridiculous to think that any of those companies would have any interest in spending money to... how did you put it? "[G]ive them more work because they want them to fail." > there aren't many other actual good choices out > there. For privacy and security? IceCat isn't even the best browser for that. That would be the Tor Browser Bundle. Which, incidentally, probably has a larger user base than IceCat. > I value critical thinking And yet you are not applying it. There is no reason anyone would be motivated to make IceCat fail. > I could say the same thing about your emails but I try to be > a nice person. No, you couldn't, at least not honestly. You sent *eight* emails in *one hour*, without anyone replying, all on the same topic. This is spam. I sent *one* email in response. This is not spam. -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] I am really getting sick of this. Goodbye
Libre software is about freedom to control your computing, not freedom to choose a proprietary OS. The FSF supports compiling for Windows because it helps users to transition to libre software. Attacking users for making a bad decision (Windows) is unproductive and hurtful, but not directly at odds with libre software principles as you suggest. -- Julie Marchant https://onpon4.github.io On Mar 18, 2017 8:08 PM, The Canadian Bacon wrote: > > It's funny, GNU is about freedom of choice, yet just about every message I > read has people trampling over others choice of operating system. > > It's appalling to read almost every day these arguments. Yes, sometimes it's > hard to support different platforms. I'm a software engineer myself, so I > know the complexities of supporting different systems, if the maintainer > doesn't want to support said platform I'm not going to argue, but if others > are going to bash people for their choices, it's basically like reading > poison. Just stop with it, it gets us no where and it goes against the very > principal of GNU. > > I'm at the point where I just want to unsubscribe to the mailing list, it's > that bad. > > On Mar 18, 2017 2:32 PM, "Julie Marchant" wrote: >> >> On 03/18/2017 01:37 PM, awake...@tutanota.de wrote: >> > I sense deep treachery however. >> >> What you "sense" is a conspiracy theory, and it's ridiculous. IceCat is >> not important in the grand scheme of things for anyone who isn't a libre >> software supporter, so there is no cause for a conspiracy. Further, >> there is no evidence for a conspiracy. What you are seeing is nothing >> more than user dissatisfaction. It's not just here, either; similar >> dissatisfaction has been expressed on the Trisquel forum. >> >> Personally, I think it would be great if both of these projects could be >> handed off to someone else. After all, Ruben is clearly overworked. >> However, this is an imperfect world and there don't seem to be any takers. >> >> Also, even the FSF supports building software for Windows. >> >> Anyway, please stop flooding my inbox with screeching about your >> conspiracy theories. That is not what I am subscribed to this mailing >> list for. >> >> -- >> Julie Marchant >> https://onpon4.github.io >> >> Protect your emails with GnuPG: >> https://emailselfdefense.fsf.org >> >> >> -- >> http://gnuzilla.gnu.org >> -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] I am really getting sick of this. Goodbye
On 03/18/2017 01:37 PM, awake...@tutanota.de wrote: > I sense deep treachery however. What you "sense" is a conspiracy theory, and it's ridiculous. IceCat is not important in the grand scheme of things for anyone who isn't a libre software supporter, so there is no cause for a conspiracy. Further, there is no evidence for a conspiracy. What you are seeing is nothing more than user dissatisfaction. It's not just here, either; similar dissatisfaction has been expressed on the Trisquel forum. Personally, I think it would be great if both of these projects could be handed off to someone else. After all, Ruben is clearly overworked. However, this is an imperfect world and there don't seem to be any takers. Also, even the FSF supports building software for Windows. Anyway, please stop flooding my inbox with screeching about your conspiracy theories. That is not what I am subscribed to this mailing list for. -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] Suggestion: JavaScript button
On 02/15/2017 03:02 PM, awake...@tutanota.de wrote: > Gosh I have a headache, I'm sorry but have you ever even used NoScript? Yes, I have, quite extensively, and I would appreciate it if you would take the time to understand what I am actually requesting rather than talking to me as if I was an idiot. > NoScript blocks everything by default and then you simply allow SPECIFIC > individual things ONLY that you want to allow as you go. Specific individual *locations*. But that doesn't matter all that much. What matters is that NoScript does not support allowing all scripts on the page to execute *once*, while still refusing to run any Javascript in *all* other contexts. That doesn't mean blocking specific scripts, or allowing specific scripts. That means univerally blocking scripts, but allowing all of the scripts requested by a specific *page*. > I never have to turn on all javascript, reload, do work, turn it off, > reload, and go crazy. NoScript blocks everything, and I simply allow > only what I need. You have completely misunderstood the purpose of what I am suggesting. NoScript is an improvement if all you want is better security *and* you're an advanced user. I want something that can be made the *default* behavior of a browser, which both is easy to use *and* results in JavaScript being disabled most of the time. When talking about a *simple* mechanism for users to keep JavaScript *entirely* off most of the time (which is *not* the same thing as keeping *most* scripts off based on a whitelist), the only solution that currently exists is to toggle JavaScript. > what you are suggesting is basically a more permanent version of the > "temporarily allow all" button in NoScript No, it's a less permanent and more reliable version, and also one that doesn't cause scripts to accidentally be allowed on other pages. > "magic button of safety" It's not a button of "safety", it's a button of *danger*. The safety is in *not* having that as the state of affairs unless you press it. > push it over and over again until it gives them what they want They would only need to push it once. You're confusing what I'm proposing with NoScript again. > I rather spend the effort educating newbies Ignoring the fact that what you are implicitly proposing is impossible, are you implying that the state of JavaScript use on the Web is acceptable, and that all you need to do is know how to navigate it? I completely disagree. I wrote why here: https://onpon4.github.io/other/kill-js/ To recap, the way JavaScript is silently installed and executed on people's browsers makes it, practically speaking, impossible to control what they do. That is unacceptable. What I'm suggesting here would do nothing to fix that, directly. But it would work toward solving it by killing JavaScript, because it would make a browser that doesn't execute JavaScript *convenient* for the masses, and it would exert a (however small) pressure on Web developers to stop requiring their superfluous JavaScript code. -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] Suggestion: JavaScript button
> I would personally also file the sugestion to NoScript, uBlock Origin, and > uMatrix. The developer of QuickJava also suggested NoScript, but I don't think NoScript's infrastructure is capable of handling the task any better than QuickJava is. NoScript is designed to block scripts based on the scripts' location, not based on what Web page you are currently looking at. This makes sense from NoScript's perspective since it's a security suite, but not particularly helpful for what I'm proposing. Actually, the closest add-on I can think of is LibreJS, with its "temporarily allow all scripts" button (or whatever it's called). But I don't think using LibreJS as a base would be very wise due to the way it blocks JavaScript being slow and causing rendering errors in some cases. A new add-on should be developed that blocks scripts in a way more similar to NoScript, but then allows all scripts on a given page in a way more similar to LibreJS at the press of a button. > If its outside the interest of these projects as well I would likely > develop it myself if I were in your position. I don't know any JavaScript or have the time to be learning a new skill right now. That being said, I am prepared to offer a bounty for a Firefox add-on that does the job well (i.e. in a reliable way, *not* the simple but possibly unreliable method I suggested previously). I can offer $50. Would anyone else like to join me? -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] Suggestion: JavaScript button
On 01/21/2017 07:29 PM, David Hedlund wrote: > That would be smart. Perhaps QuickJava can implement that feature? > > You can file it to https://github.com/ThatOneGuyDotNet/QuickJava/issues I gave that a shot, but the answer was no, since it's outside the scope of what QuickJava is supposed to do. -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] Suggestion: JavaScript button
On 01/22/2017 09:18 AM, awake...@tutanota.de wrote: > forgive me, but in all seriousness, NoScript literally does exactly that > if not perhaps even better. that's the "temporarily allow scripts" > button in NoScript. That requires you to actively turn JavaScript back off. I'm proposing that the browser should take care of that for you. So rather than having to: 1. Turn on JavaScript and reload the page 2. Do all your work on that page without loading any new pages 3. Turn off JavaScript You just do the first step and the browser takes care of everything else. > also it's a security risk to temporarily allow ALL javascript and > quickly disable it again because that would take away the users ability > to control what happens in that short instant. why in the name of god > almighty anyone would ever want to create a hole like that is beyond me. I don't know what you're talking about. Allowing all JavaScript is the *default* setting on most browsers. I'm proposing making *no* JavaScript execution the default, and only executing all JavaScript on *particular pages* when the user requests it. It has to be all JavaScript requested by the page for it to be user-friendly. Just accepting a few of them almost always breaks the page more than completely disabling JS would. > unbeatable rules: everything disallowed by default, only enable > specifically what you want to allow, ONLY WHEN you want to allow it. and > that's how NoScript does it. NoScript is too complicated for non-technical users, and it isn't sufficient anyway. It only allows you to control what base URLs scripts can be loaded from. That doesn't work; just about every site that uses JavaScript loads at least some of it from an external site, like ajax.googleapis.com or whatever CDN the site uses. What I am proposing is a *simple* mechanism to temporarily allow script execution on designated websites *each time* at the push of a button, not for technical users, but for general, non-technical users. The user can simply be told, "some websites require you to push this button, but only push this button if you absolutely must, because it can be a security risk". This accomplishes two things: 1. It protects these non-technical users from JavaScript-related attacks somewhat. 2. It encourages these users to complain to sites that don't work without JavaScript. The whole point of this is to encourage people who create websites to make these websites work without JavaScript, rather than just showing a blank page. In other words: kill JavaScript. It's a bit of a longshot, but it would be much easier to do this than to make a browser that actually makes it possible for users to control JavaScript execution properly. -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] Suggestion: JavaScript button
On 01/21/2017 06:36 PM, David Hedlund wrote: > QuickJava can already do this: > https://addons.mozilla.org/en-US/firefox/addon/quickjava/ No, I wasn't talking about a button to enable and disable JavaScript. There are tons of extensions that can enable and disable JavaScript; even QuickJava would be superfluous for that purpose. I was talking about a button to show the *current page* with JavaScript active, while otherwise leaving JavaScript disabled, for a limited designated period of time (probably just until the user navigates away from the page). Because of the way Firefox handles JavaScript, a Firefox extension should be able to do this by enabling JavaScript, releading the page, and then disabling JavaScript again once the page loads. But that's just an implementation detail and I don't know for sure that it will continue to work in future Firefox releases. The important thing is for JavaScript to be globally disabled, but temporarily allowed on a particular site at the push of a button. -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
[Bug-gnuzilla] Suggestion: JavaScript button
Hey, I just added this suggestion to my old article about JavaScript, but since I doubt many people see that, I want to share this here too. My suggestion is to have JavaScript disabled by default, but have a button that instantly, temporarily allows JavaScript execution on the current page. The idea behind this is that it would be a lot more convenient than NoScript, but it would be just inconvenient enough to have to use JavaScript when that shouldn't be necessary to encourage users to either use another site or send a complaint. It would also have a side effect of making the browser much faster in most cases, though, since all that JavaScript code that Web developers tend to use bogs down the browser tremendously. It could be advertised thusly: * Faster speeds * No obnoxious ads (only simple text-based and image-based ads work without JS) * Better security (makes taking advantage of JavaScript exploits much harder) I think that compared to LibreJS: long-term, this would be a better way to influence Web developers to stop building websites that depend on JavaScript; and short-term, this would be a better experience for users (and would therefore make IceCat more attractive). -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] IceCat browser default on Windows 7?
On 12/29/2016 03:25 AM, Daniel Quintiliani wrote: > IceCat v38 for Windows is the only DRM-free Windows compatible Web browser in > existence, unless you count the slow and incompatible Pale Moon or bloated > Seamonkey. That's just not true. There are also several WebKit-based browsers such as Midori and Qupzilla which run on Windows. Also, Firefox's DRM support can be disabled. -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] GNU IceCat finally on f-droid.org
On 04/20/2016 05:39 AM, Mart Rootamm wrote: > Indeed, but the default IceCatMobile UA string is not even remotely > mobile (Windows 6.1, etc), causing many sites to display a desktop > design where they should not. That's why the mobile version of IceCat should copy the user agent string of a popular mobile browser, like the mobile version of Firefox. -- Julie Marchant https://onpon4.github.io Protect your privacy with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
Re: [Bug-gnuzilla] GNU IceCat finally on f-droid.org
On 04/19/2016 06:22 PM, Mart Rootamm wrote: > One issue is, that IceCatMobile fails to show its own user agent string, > and uses a UA string of non-free software, which skews server > statistics. I had to guesstimate the possible IceCat UA string for myself. That's intentional, and you're subverting a measure designed to protect your privacy by "fixing" this. Using the same user agent string as Firefox reduces your fingerprint. -- Julie Marchant https://onpon4.github.io Protect your privacy with GnuPG: https://emailselfdefense.fsf.org signature.asc Description: OpenPGP digital signature -- http://gnuzilla.gnu.org
