Hacker News new | past | comments | ask | show | jobs | submit login

How do you browse though given that the vast majority of modern websites made use of javascript?



The vast majority of modern websites use JavaScript for trivial purposes. Like adding advertising, or auto focusing on fields. Most of them still work fine without JavaScript.

Some bits of github don't work unless you enable JavaScript, but most of it does. So I only enable it when I'm using those bits.

I also make sure I log out of github before I start browsing other websites.


I have a very warped model of browser usage, which in practice has translated to using:

     * IE for two banks
     * firefox+adblock for gmail, github and chesscube
     * chrome for facebook 
     * opera for everything else, which includes HN.
Just looking back at that list makes it seem even more terrible than it actually is :(


With noscript, browsing still works fine, you just have to explicitly allow the javascript you want/need rather than allowing just any site to execute code in your browser.


... so if I want to XSS you, I just have to do it on a site that requires JS to function.

Don't get me wrong, I can appreciate reducing your attack surface... but noscript just doesn't seem like that great of an idea, still.


No, even when you do allow a site to run JS, NoScript includes additional XSS, XSRF, and "click-jacking" protections that aren't normally offered by Firefox.


noscript is per-source, so you can whitelist their <script> blocks and jquery.js, but that random javascript in an onmouseover in a forum comment will do nothing.


Maybe it's been a while, but I thought that NoScript was per-domain. In the event of a XSS, the javascript maybe included from the page's domain. NoScript wouldn't help you here. IIRC, NoScript wouldn't say, "Hey this script wasn't here the last time you visited this domain, do you want to allow it?"


Fair enough. Seems like a whole lot of effort for very little gain.


The main gain is that you no longer have to worry about getting hit by this class of attack whilst browsing as normal. XSS attacks are happening all the time, even on major websites run by extremely clever techies. You think that is very little gain. To me, that gain is worth the hassle of having to manage NoScript. There is also a positive secondary benefit in that most websites which don't require js to work will run a little faster with NoScript enabled.


I'm sure my opinion will change as soon as one of my accounts are compromised. Since it hasn't happened yet, it's basically off my radar.

Humans are quite irrational sometimes...


You might be right. I was personally hit by a Twitter XSS once. The only reason I enabled JavaScript on twitter.com was because you can't post (or at least couldn't) post new items without enabling it first.

I don't use the twitter.com website any more. Prefering to use clients that don't run JavaScript. Whenever I can use something other than a web browser to access a service, I will take that path. I use NoScript when that isn't an option.

I also found (and reported responsibly) an XSRF flaw in Linode.com a few months back that I believe has now been fixed. That was quite a dangerous one. I also found an XSS flaw in DuckDuckGo a few weeks back. Maybe this is the reason I'm so "paranoid" about JavaScript. Maybe I'm right to be.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: