Firefox 23 Makes JavaScript Obligatory 778
mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."
Javascript can still be disabled (Score:5, Informative)
They just removed the easy way to turn it off to prevent simple mistakes. You can still turn it off behind about:config or with extensions for those that need it.
The option is not removed. (Score:5, Informative)
(atleast in nightly) Its just hidden, you can still enable/disable javascript in the about:config menu and addons like noscript still work.
Re:Solution in extensions (Score:5, Informative)
Re:why? (Score:3, Informative)
One of the main reasons I switched to Firefox in the beginning was because they seemed to understand that NOT doing something stupid was preferable to layers and layers of patches for the stupidity.
IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.
Firefox avoided the entire security issue by allowing functionality to be disabled. While you cannot be 100% certain that XYZ feature had no security issues (or even that there were security issues) you knew that disabling it rendered the question moot.
If your site requires JavaScript or Flash or whatever then I can temporarily enable them just for your site if you can convince me that the risk is worth your content.
Re:why? (Score:5, Informative)
Yes.
Javascript is supposed to be sandboxed in all modern browsers, but that doesn't make it perfect. All the serious vulnerabilities I've seen over the past few years exploited the sandbox, and therefore required javascript to work.
Also there is private information WITHIN the browser. Being inside the sandbox, that information is thus provided to websites.
For example:
Browser fingerprinting, using your installed fonts, screen resolution, etc. http://panopticlick.eff.org/ [eff.org]
Mouse pointer tracking with javascript: http://jsbin.com/ufupol/98 [jsbin.com]
Capturing information entered into forms and then deleted before submitting: various analytics tools
Here's a random analytics provider I found on Google (There were plenty of others):
We capture every mouse move, click, scroll and keystroke, by using a tiny piece of JavaScript copied into your website. The whole process is completely transparent to the end user, and has no noticeable effect on your site performance.
http://www.clicktale.com/products/mouse-tracking-suite/visitor-recordings [clicktale.com]
No, it doesn't (Score:2, Informative)
Re:why? (Score:5, Informative)
Now this furore is a little silly.
Hey! Word to the wise: about:config I doubt the feature is actually removed...
I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.
Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.
Not according to my button plugin [blogspot.com] of choice's author. He indicates it is a change in the API that will make his plugin inoperable.
Google doesn't "freely give" away information. (Score:5, Informative)
I've got no problem with your browser choice -- if you want to use Mozilla over Chrome, or IE over Firefox, hey, that's your call. But don't misrepresent the situation.
Google and Yahoo both pushed back hard against the NSA's programs. Yahoo went to court over it. You know what the court said? "Obey."
So what could Google do? You can't run an advertising business without having some information on your users. You can't run an email service without having access to the accounts. Yes, I suppose Google could have theoretically attempted to create a business in which everyone it served were direct customers of encryption services it provided (while explicitly saying that it couldn't decrypt traffic). Maybe that works for a startup, but you can't exactly transition a multi-billion dollar corporation to a direct customer model to avoid the NSA -- especially when you are legally prohibited from acknowledging that the NSA even spoke to you.
More than one of the companies that participate in Prism were forced to do so.
Re:why? (Score:5, Informative)
Not to mention it has the nice side effect of saving CPU cycles and preventing web pages from going unresponsive. I tend to enable JavaScript (since disabling it breaks too many sites) but I don't allow it to do anything outside of the web page with the browser itself (manipulate windows or context menus). Of course, none of this really matters, because I've been running NoScript for a few years now and the only sites that are ever allowed to run scripts are the ones I specifically allow to do so.
noscript (Score:4, Informative)
Anyone writing a javascript application should know to add a <noscript> tag to the page embedding the scripts.
<noscript><p>This page is built using Javascript, but it seems that you have Javascript disabled on your browser. Please enable Javascript and refresh this page to continue.</p></noscript>
I think that's a much more robust approach. The user understands what's going on, and you don't have to rely on every browser preventing Javascript from being disabled.
Re:why? (Score:5, Informative)
IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.
Mozilla Gecko (the framework Firefox is built on) makes extensive use of XPCOM, which is functionally equivalent of ActiveX in every way, except that it works outside of Windows.
Some Firefox plugins are ... XPCOM objects.
XPCOM has been at the core of the Firefox design as long as I've seen the source (I was embedding gecko into apps in my former life, at least 7 years).
You have absolutely no idea what so ever what ActiveX is, nor do you have any idea what the actual problem with IE was that resulted in so many ActiveX related exploits.
ActiveX is a self describing plugin system which allows an application to load and potentially use a plugin without any prior knowledge, EXACTLY like XPCOM in Firefox. Again, they are 100% functionally the same.
Internet Explorer had retarded defaults (allow any unsigned activex to install without asking) to begin with, then those were 'fixed', and then the install without prompting exploits started, so malicious sites would install activex controls without your consent ... and then ... we also have to deal with all activex controls which were installed with improper ActiveX safety flags.
The safety flags were 2 flags set aside to allow an ActiveX control to say 'hey, I'm safe to use in Internet Explorer' and 'I'm safe to allow any random website to use me in IE!'. The morons in the Excel team (as one example) would, out of ignorance, flag all of their controls for Excel as safe for IE/safe for scripting ... so IE thought it was perfectly acceptable to load a control that will read and write random files on the drive. Every time a Windows Update patch for 'ActiveX killbits' comes out ... this is what they are talking about, changing the OS to ignore controls flagged as safe when they are known not to be.
Mozilla has no such support for flagging controls as safe for browser/safe for scripting. It tries to pretend it is an uncrossable barrier, but that is in fact no way the case.
So any time an 'ActiveX' issue comes up, you should be aware that it wasn't an ActiveX problem, it was an Internet Explorer implementation of ActiveX, and other developers bad code that was exploitable.
You really can't 'exploit' ActiveX any more than you can 'exploit' DLL or SO. You can exploit bad implementations of the loader.
Imagine if Firefox allowed web page scripting to automatically install Firefox plugins. Would you blame XPCOM then? Thats what you do when you blame ActiveX.
Finally, it makes you look fucking stupid when you blame ActiveX. All you do is make it clear that you don't actually know what the problem was, let alone understand what it was. You just sound like an ignorant drama queen.
Re:why? (Score:5, Informative)
the NSA more or less demanded google hand it over. Google has done more than most companies to fight NSA seizure of their data.
more than microsoft, who after aquiring skype centralized the protocol, and put a back door in it.
Re:why? (Score:5, Informative)
Flashblock (and to a lesser degree, AdBlockPlus) is excellent for reducing CPU usage.
Re:why? (Score:5, Informative)
Not to nitpick either, but they're both.
When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.
Yes, JS is scary, but that bit of marketingspeak is a bit over the top: they can't see *every* click/keystroke/etc; just the ones that involve interacting with their site content. And, if you have to worry about them watching you use their site, you hopefully will leave before giving them any important information anyway.
Re:why? (Score:5, Informative)
I uninstalled NoScript years ago because of weird failures even with whitelisting. Essentially, I had to whitelist so much that NoScript became pointless.
Re:Agreed (Score:5, Informative)
There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.
In what ways is NoScript more advanced than ScriptSafe?
Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter [noscript.net], the ClearClick anti-Clickjacking technology [noscript.net] and the Application Boundaries Enforcer [noscript.net] module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works [informaction.com] ;)
Re:Solution in extensions (Score:4, Informative)
Just sharpen the tip of the tines so they shine. You thought rusty was scary, but rusty but recently sharpened? That gives you a whole extra level to work with.
Re:why? (Score:5, Informative)
Are there still security issues with having JS enabled?
Fresh from the summary of the upcoming BlackHat talk by Jeremiah Grossman, A Million Browser Botnet [blackhat.com]:
With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. [...] no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way.
Re:why? (Score:4, Informative)
I tend to enable JavaScript (since disabling it breaks too many sites) but I don't allow it to do anything outside of the web page with the browser itself (manipulate windows or context menus)
You don't do anything, that's by design.
Firefox 22, by default, allows JavaScript to do those things [mozilla.org].
Re:why? (Score:3, Informative)
Not according to my button plugin [blogspot.com] of choice's author. He indicates it is a change in the API that will make his plugin inoperable.
According to the author's bug report [mozilla.org], it's just an API change that he will need to update the extension to use. I don't see anything about the facility to turn off javascript being removed.
Re:why? (Score:4, Informative)
They're talking about removing that functionality.
Where? I read pretty much everything related to this.
Some clarifications:
- This preference is still available in about:config.
- There are add-ons such as NoScript or SettingSanity that will do what you want with more easily accessible UI.
Note that the capability to enable/disable JavaScript easily will return in Firefox 24’s developer tools.