SitePoint Sponsor

User Tag List

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 65
  1. #26
    Function Curry'er JimmyP's Avatar
    Join Date
    Aug 2007
    Location
    Brighton, UK
    Posts
    2,006
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Most other browsers have that functionality built in. Firefox and IE are the only ones where you need a plugin/extension to be able to turn scripts on and off as required.
    I don't know of any browsers that have built-in protection against XSS (other than basic same-domain-origin restrictions) or click-jacking.
    James Padolsey
    末末末末末末末末末末末末末末末末末末末
    Awesome JavaScript Zoomer (demo here)
    'Ajaxy' - Ajax integration solution (demo here)

  2. #27
    SitePoint Member
    Join Date
    Nov 2009
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I use noscript with firefox to disable JavaScript on all pages until I make them trusted. The added security is really reassuring in my web browsing.

  3. #28
    SitePoint Enthusiast
    Join Date
    Sep 2008
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Most other browsers have that functionality built in. Firefox and IE are the only ones where you need a plugin/extension to be able to turn scripts on and off as required.
    Try to turn off google's javascript on sitepoint with Opera.
    Enjoy turning all sitepoints included js off or going in some submenus to put some string.
    I prefer just using my mouse to open a menu where I can just disable js by domain in one click for each.

  4. #29
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by JimmyP View Post
    I don't know of any browsers that have built-in protection against XSS (other than basic same-domain-origin restrictions) or click-jacking.
    Well they technically do if you kill all JavaScript but you are correct, NoScript is a much better solution. It allows you to explicitly target the types of scripting being issued and which sites can run such scripts. Felgall might be correct in theory that having a plug-in could add to exposure but it should be pointed out that NoScript has a well established history of fast patching, regular updates and some highly respected security experts backing as a better way of controlling scripts on the web, one of whom is Steve Gibson. So personally I would say install and use it rather than turning scripting on and off regularly.

  5. #30
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    And it must certainly be a surprise to those who use the Internet just fine with Javascript turned off.
    Yeah, enough that I really notice when a site doesn't work well without JS on. Besides parts of a certain "design" magazine (and commenting systems in general), I notice it on many forms (where the true function of the submit button is lost and javascript does all the submitting!) and I still see it a lot on drop-down menus, where the href's on the top-level items are "#" and there's no other way to get to the dropdowns' options. Bleh. It seems many bloggities and contact forms rely much too much on client-side filters to save their sorry butts. My three biggest issues with JS are, keyboard is often forgotten, JS is always assumed to be on, and servers/server-side-scripting is often not used where it should be (or, reliance on the client when there shouldn't be).
    Forums like Sitepoint etc work just fine without JS and I haven't found a reason to allow it on here at all. Most bloggities and articles are readable, and most of the time, search functions work (they notably don't on the perldocs site, arg!). Most of the web for me works without JS, but then, I don't go to sites that live off JS and require drag-n-dropness.

    I keep JS turned off on my Linux browsers (and generally leave them on in my Windows browsers for testing) but one thing I like about NoScript is I can allow one script at a time. So, I can allow a site who uses googleapis for going to the next page (terrible practice I know) without turning on the tracker and the 15 other worthless scripts they've piled onto the page.

    I do hope that is Opera's next Feature, a per-script yes/no ability, like many browsers can do with cookies. I'll take that over extravagance like Unite, Turbo or Links any day : )

    (edit and if it's already got that somewhere, pls pls tell me where it is!)

  6. #31
    From space with love silver trophy
    SpacePhoenix's Avatar
    Join Date
    May 2007
    Location
    Poole, UK
    Posts
    4,904
    Mentioned
    93 Post(s)
    Tagged
    0 Thread(s)
    I've seen sites where the main navigation is done via javascript
    Community Team Advisor
    Forum Guidelines: Posting FAQ Signatures FAQ Self Promotion FAQ
    Help the Mods: What's Fluff? Report Fluff/Spam to a Moderator

  7. #32
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by SpacePhoenix View Post
    I've seen sites where the main navigation is done via javascript
    Obviously such sites don't want too many people visiting the other pages of the site.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  8. #33
    Gr゚e aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,313
    Mentioned
    178 Post(s)
    Tagged
    9 Thread(s)
    Originally Posted by FastLionDesign
    Security is a big reason javascript is turned off.
    Quote Originally Posted by felgall View Post
    Only by those who don't know better. There is a great deal of security actually built into JavaScript itself - so turning JavaScript off does not actually make your browser any more secure than it is with JavaScript on.
    @Felgall: do you still stand by your comments?
    Here is an article detailing a javascript vulnerability that could enable a hacker to take over a computer if a surfer visited a compromised website (admittedly only in IE).

    http://www.webuser.co.uk/news/top-st...ble-javascript

  9. #34
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    Psh. And here's why IE users won't. : )

    That and nobody reads that page... if this showed up on the front page of BBC, CNN, or whatever, with more explanation about what the exploit is and how it works blah blah, then possibly some people would do it... and then they'd turn it back on because they want all the functionality of their favourite web sites.

    Those of us who keep it off are generally ok with fluff sites not doing all the singing and dancing, because we've only seen the pages like that in the first pace.

    But someone using IE who's always had JS on, they have a harder time surfing with it off.

    All the more reason to make sure websites WORK (function) without client-side scripts. Functionality might = behaviour, but I don't believe all behaviour belongs under client-side scripting.

  10. #35
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Pullo View Post
    (admittedly only in IE)
    Internet Explorer is the one browser that doesn't support JavaScript.

    Instead Internet Explorer supports JScript and VBScript.

    JavaScript is close enough to a subset of JScript to be able to write code using feature sensing to detect and handle the differences provided that you start with JavaScript and modify it to work as JScript. There are lots of JScript commands that don't have a Javascript equivalent.

    There are a few JavaScript commands that require activeX to work as JScript and those are the areasd most vulnerable.

    You can't disable JavaScript in IE because IE doesn't support JavaScript at all.

    The main reason for disabling JScript is with IE6 where there are a lot of vulnerabilities in activeX and so you really ought to disable activeX when using that browser so as to plug hundered of known security holes. If you do that then you get an alert that activeX is disabled every time you load a page unless you also turn off active scripting to disable JScript and VBScript. Most of those activeX vulnerabilities were fixed in IE7.

    The only browser where client side scripting is a potential security issue is Internet Explorer and that is the one browser where people are least likely to turn off scripting as it is the browser that tends to be most used by people who are least aware of those issues since the easiest way to fix the security issues in old versions of IE is to switch to a different browser.

    Since running JavaScript in a modern browser does not have security issues, security is not a reason for disabling JavaScript.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  11. #36
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Agreed, when IE talks about "Active Scripting", it's talking about it's ActiveX components (including it's support for VBScript) rather than it's own implementation of JavaScript (JScript). Where as JavaScript (as properly implemented) is sandboxed in such a manner where it cannot affect anything outside of the browser, and what it can affect within the browser is seriously limited, Internet Explorer (in Microsoft's wisdom) has no such sandboxing in effect, apart from it's default security measures, VBScript and ActiveX are granted complete access to your computer from the point of execution, to the point of having full user control. This is dangerous if your running as an administrator because it essentially gives the browser "superuser" control. I don't use IE as my default browser and I always have Active Scripting disabled within it because it's simply too poorly implemented and dangerously cavalier about what script's can do

  12. #37
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,457
    Mentioned
    160 Post(s)
    Tagged
    1 Thread(s)
    Ditto. The only thing I use IE for is to test my own web pages. I don't even use it for my hotmail account any more.

  13. #38
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    I don't use IE as my default browser and I always have Active Scripting disabled within it because it's simply too poorly implemented and dangerously cavalier about what script's can do
    Is this different than "setting security settings to High" which seems to stop any scripts from running when I test pages? It doesn't say anything about Active X, which I do not write on my pages and do not test for (though I assume it disables that too).

    I leave it (scripts) on in my IE's, but they're either on someone else's machine (work machine, I don't care what nasties live in there) or on my Virtual Box, which is simply a separate operating system and has no access to my OS.

  14. #39
    Gr゚e aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,313
    Mentioned
    178 Post(s)
    Tagged
    9 Thread(s)
    Hi,

    So, I'm just wondering about this, as this is genuinely a subject that has interested me for quite a while.

    Quote Originally Posted by felgall View Post
    The only browser where client side scripting is a potential security issue is Internet Explorer
    ...
    Since running JavaScript in a modern browser does not have security issues, security is not a reason for disabling JavaScript.
    A quick Google search for "javascript vulnerability firefox" turns out 366,000 results. The first site (at least in google.de) is mozilla.com, which informs us:
    A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.
    It goes on to say that the vulnerability can be mitigated by disabling the JIT in the JavaScript engine. Another site reporting the same vulnerability also recommends using the noscript add on to acheive the same thing.

    Again, you can argue that it's not JavaScript that is insecure, rather the JIT compiler. The point remains that one is better protected if one has the noscript extension enabled.

    I would be glad to hear people's thoughts on this.

  15. #40
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    Last I read (I admit this was a while ago now), No-Script was the only known browser feature or extension that could protect or warn against clickjacking. I wouldn't doubt tho that by now there was something similar people could get for IE...

  16. #41
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Pullo View Post
    The point remains that one is better protected if one has the noscript extension enabled.
    Have you checked up on how many thousands of security holes that the noscript extension has in it? There are probably lots of holes in that code just waiting to be discovered as well.

    Are you sure you have the genuine noscript extension installed and not a malicious copy that deliberately creates vulnerabilities?

    Turning off JIT to protect against a bug in it is a far superior solution to turning on something else which itself can also contain bugs.

    Anyway bugs in Firefox is no more a reason for abandoning JavaScript than bugs in IE would be - just swicht to a better browser that doesn't have all those bugs.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  17. #42
    Gr゚e aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,313
    Mentioned
    178 Post(s)
    Tagged
    9 Thread(s)
    Quote Originally Posted by felgall View Post
    Have you checked up on how many thousands of security holes that the noscript extension has in it?
    ....
    Are you sure you have the genuine noscript extension installed and not a malicious copy that deliberately creates vulnerabilities?
    Man, what have you got against this extension?
    To suggest it has thousands of security holes is simply hyperbolic.
    You can install it via Mozilla's official addon website, so if you can't trust that, you can't trust any other addon for FF.
    Plus, if you visit the noscript site you can see that it is endorsed by various JavaScript advocates as well as the Chief Security Officer at Mozilla.
    Losing battle perhaps?

  18. #43
    Follow: @AlexDawsonUK silver trophybronze trophy AlexDawson's Avatar
    Join Date
    Feb 2009
    Location
    England, UK
    Posts
    8,111
    Mentioned
    0 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by felgall View Post
    Have you checked up on how many thousands of security holes that the noscript extension has in it? There are probably lots of holes in that code just waiting to be discovered as well.
    I'm starting to think you have some kind of vendetta against the NoScript team as well, making claims about the security about a plug-in or application should be made solely on factual information, not conjecture. Granted you have a valid claim that plug-in's can have flaws which could be taken advantage of, however to state that NoScript has thousands of flaws (as you said "how many" without "potential") without backing up the claim tends to make you seem a little biased. I've yet to see any evidence to suggest having NoScript will make you any less safe than not using it, in fact everything I've read seems to show the complete opposite, there's a good reason why security experts recommend NoScript, it offers a barrier of protection which is (granted) not as tight as turning off scripting entirely, but it does serve a valid purpose and does reduce the chances of client-side "bad" scripting being invoked.

  19. #44
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by AlexDawson View Post
    I'm starting to think you have some kind of vendetta against the NoScript team as well,
    My argument all along has been that a facility integrated into the browser is more likely to be secure than one that requires an extension or plugin.

    I am not meaning to suggest that the noscript extension is insecure, just that if you want that option then you are better off with a browser that has that feature built in rather than one that requires an extension to supply it.

    Where you have lots of extensions added to the browser (as you need in order to turn Firefox into a usable browser) then there is no way of telling if a combination of the particular extensions you have chosen has introduced a security hole that isn't there unless a group of extensions are all installed together. It could be a matter of remove any one of the 50 or so extensions you have installed and the security hole goes away.

    So there is no real way of telling that because someone has extensions ABC, DEF, GHI, JKL, MNO, PQR, STU, VWX, YZA, BCD, EFG, HIJ, KLM, NOP, QRS, TUV, WXY, and ZAB all installed in their copy of Firefox that they don't have a security hole created by those extensions in combination that anyone with a different combination of extensions doesn't have.

    Where the browser supports the option without needing extensions it is far easier to test as everyone is running the same combination.

    Anyway with the JIT security hole mentioned the best solution (assuming you want to stick with Firefox rather than switch to a better browsr) would be to upgrade to the more recent version of Firefox that fixes it. The second best solution would be to turn off JIT. There is nothing with that security hole that requires turning off JavaScript completely.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  20. #45
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    There was that squabble about NoScript interfering with the AdBlockPlus addon : )

    Other than that, I'm pretty happy with NoScript. Again, I cannot say Yes No Yes No No to individual scripts directly via the browser itself, nor can I say Yes and No to particular domains! Otherwise, I would just have JS turned off completely in FF (in the way I have it completely off in Opera and Konqueror and Epiphany).

    I don't believe it's secure when you must turn on ALL scripts, this includes the crap, just to make something (like a menu) work on a page (yesh, we all agree the page should work anyway, but you know, anyone can be a code monkey and build a website like that steaming pile of Movember...)
    there's a good example. I should be able to choose which scripts on Movember I turn on just to get the to site actually work without needing to let everything else in.

    It is true that plugins, like widgets, are coded by different people and they're not all well-coded. That and the bloat on FF is a reason not to have many FF extensions in the first place.

  21. #46
    Gr゚e aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,313
    Mentioned
    178 Post(s)
    Tagged
    9 Thread(s)
    Felgall,

    A simple phising attack which works with JavaScript enabled, and doesn't work with JavaScript turned off. The page is only a demo and won't harm your computer in any way.

    http://www.azarask.in/blog/post/a-ne...ishing-attack/

  22. #47
    om nom nom nom Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,233
    Mentioned
    47 Post(s)
    Tagged
    1 Thread(s)
    Awesome link.

    Except I had to turn on Javascript to see the freakin comments, and to see the comments meant if I didn't keep touching the scrollbar, the stupid Gmail thing would appear. Arg. Annoying.

    Still, this is scary to me:
    The Fix

    This kind of attack once again shows how important our work is on the Firefox Account Manager to keep our users safe. User names and passwords are not a secure method of doing authentication; it痴 time for the browser to take a more active role in being your smart user agent; one that knows who you are and keeps your identity, information, and credentials safe.
    No way. I specifically do not allow my browser to store my passwords. I try not to let it store my history. I don't let it (or Google for that matter) suggest urls as I type into my address bar. This is because I believe a browser should be a stupid barrier between me and a site. So this idea that FF4 will have a session manager is going too far for me. A browser who knows your underwear size is a liability when it gets compromised, and so long as it's being asked to run all sorts of scripts (Java is coming back, and Ruby has been taking steps in client-side), it's not secure.

    Seriously, I want the NoScript guys to include other browsers, pleeeease. And WebVisum. And a few other things.

  23. #48
    Gr゚e aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,313
    Mentioned
    178 Post(s)
    Tagged
    9 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    Awesome link.
    Yeah, spooky, innit?

    Quote Originally Posted by Stomme poes View Post
    Java is coming back, and Ruby has been taking steps in client-side
    That sounds interesting. What steps has Ruby been taking client-side? Do you have a link or something where I could read up on that?

    Quote Originally Posted by Stomme poes View Post
    Seriously, I want the NoScript guys to include other browsers, pleeeease.
    Show me where to sign and I'm there. NoScript is one of the main things that has kept me using FF.

  24. #49
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Pullo View Post
    A simple phising attack
    Which relies on your not paying attention to what is in your address bar. GMail is not located at http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ which was what my address bar still read when I finally managed to force the script to activate (note I said force as I swapped back and forth a number of times before I finally managed to satisfy its trigger condition). Also the favicon remained unchanged.

    You could achieve almost the same thing without JavaScript using a meta redirect to a separate page.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  25. #50
    Gr゚e aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    5,313
    Mentioned
    178 Post(s)
    Tagged
    9 Thread(s)
    Hmm, don't know what to reply to that.
    I should've expected that kind of reply though.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •