I’ve long regarded JavaScript in the browser to be one of the biggest security holes in web-browsing, and at the same time the Internet works less and less well without it. In 2008 Joel Spolsky made the observation that for some people the Internet is just broken:
Spolsky: Does anybody really turn off JavaScript nowadays, and like successfully surf the Internets?
Atwood: Yeah, I was going through my blog…
Spolsky: It seems like half of all sites would be broken.
Which is not wrong. Things have changed in the last five years, and now the Internet is even more broken if you’re not willing to do whatever random things the site you’re looking at tells you to, and whatever other random sites that site links off to tell you to, plus whatever their JavaScript in turn tells you to. This bugs me because it marginalizes the vulnerable (the visually impaired, specifically), and is also a gaping security hole. And the performance drain!
Normally I rock with JavaScript disabling tools and part of my tin-foil-hat approach to the Internet, but I’m now seeing that the Internet is increasingly dependent on fat clients. I’ve seen blogging sites that come up empty, because they can’t lay out their content without client-side scripting and refuse to fall back gracefully.
So, I need finer granularity of control. Part one is RequestPolicy for FireFox, similar to which (but not as fine-grained) is Cross-Domain Request Filter for Chrome.
The extensive tracking performed by Google, Facebook, Twitter et al gives me the willys. These particular organisations can be blocked by ShareMeNot, but the galling thing is that the ShareMeNot download page demands JavaScript to display a screenshot and a clickable graphical button – which could easily been implemented as an image with a href. What the hell is wrong with kids these days?
Anyway, here’s the base configuration for my browsers these days:
FireFox | Chrome | Reason |
---|---|---|
HTTPSEverywhere | HTTPSEverywhere | Avoid inadvertent privacy leakage |
Self Destructing Cookies | “Third party cookies and site data” is blocked via the browser’s Settings, manual approval of individual third party cookies. | Avoid tracking; StackOverflow (for example) completely breaks without cookies |
RequestPolicy | Cross-Domain Request Filter for Chrome | Browser security and performance, avoid tracking |
NoScript | NotScripts | Browser security and performance, avoid tracking |
AdBlock Edge | Adblock Plus | Ad blocking |
DoNotTrackMe | DoNotTrackMe | Avoid tracking – use social media when you want, not all the time |
Firegloves (no longer available), could replace with Blender or Blend In | I’ve have had layout issues when using Firegloves and couldn’t turn it off site-by-site |
Heh. Ain’t it the truth…
For example: Slashdot is broken on my stock android browser (without javascript). You can only view the blurbs on the first page, no article content (if that’s the word for a slashdot article) or any page past the first.
Serious – _text_ content that can’t be read without javascript? I just can’t bring myself to enable (risk) it for something that trivial.
It’s a big internet, I don’t need them, it’s the other way around….