JavaScript - Good Reasons to Disable it

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
JavaScript - Good Reasons to Disable it - topic here ..

What – no Javascript? : on Web Matters sbpoley.home.xs4all.nl by Stephen Poley : http://sbpoley.home.xs4all.nl/webmatters/whatnojs.html

'Among the reasons for disabling Javascript are the SECURITY reasons:

'Internet Explorer is riddled with security holes, many of them related to Javascript. Experienced security consultants not infrequently recommend that users of IE should always disable Javascript. True, users of browsers such as Opera and Firefox, which have a pretty good reputation on the security front, don’t have to worry quite so much about this. But why take chances unnecessarily?
People have for example been stung with enormous telephone bills – €1000 or more – due to illicit dialing software surreptitiously installed on their systems by web-sites. Even if the security holes which enable this sort of operation are not in Javascript itself, Javascript can be used as a tool to exploit security holes elsewhere.' ..

..'So if you are browsing the Web, there are reasons aplenty to disable Javascript, particularly when visiting unfamiliar sites.

And if you are authoring a site, and make it unreadable without Javascript, you are shooting yourself in the foot.'
 
Last edited:

Ramblin

Level 3
May 14, 2011
1,014
Disabling JavaScript is a good practice. I disable it on all sites with NoScript and enable it only where I really need it.

I found this interesting test a few days ago. Read the information at the bottom of the page. If JavaScript is disabled by NoScript, the POC don't work. If JavaScript is enabled, it works.

http://boomer.neohapsis.com/searchbox/index.html

Bo
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Do the benefits of JS out-weight the negatives?

AFAIK, all software is a SECURITY risk, and increased when connected to the World Wide Web (aka Internet).

Edit: Disabling all JS has a negative effect when web browsing, surely. I think I'll leave mine enabled.

Edited
 

ultradolby1

New Member
Verified
Nov 8, 2012
50
...when all this hoo-haa came out about Java, & all it's vulnerabilities earlier this year, I did a lot of research on my own. A lot of IT websites, & forum postings suggested disabling it if not entirely getting rid of it, & uninstalling it if you don't need it. I didn't know, I always thought I did because it came with the computer pre-installed & it was just always there. But don't be confused - Java & Javascript are not the same thing - but anyways, I tried disabling it in my browsers, and, after a month, no ill effects - so I uninstalled it - again, no ill effects, & that was 3 months ago. I don't do any gaming or online banking or, apparently, anything else, or, have any programs & apps that need it (hence the "no ill effects"). Soooooooooo, unless you know you need Java, I would recommend uninstalling it, & try running without it for awhile. If something doesn't work, you can always download & reinstall it again. The fringe benifit of that is you will have a fresh version free of the the junk that gets left behind by repetitive patching & updating - works for me...
 

HeffeD

Level 1
Feb 28, 2011
1,690
Earth said:
Do the benefits of JS out-weight the negatives?

I believe so. Disabling Javascript breaks a great deal of the internet.

If you're not visiting questionable sites, it's a pretty safe bet that the majority of the scripts you're going to be encountering are locally hosted navigation type scripts. These are harmless, and often beneficial to site functionality. I'm going to guess that even if you visit questionable sites, well over 90% of the scripts you'll encounter are completely harmless.

The real issue with reputable sites are the externally hosted scripts like ad networks that the site owners have no control over. Not to mention that even infections from external scripts are quite rare.

I choose to use an AdBlock Plus filter for any third-party scripts instead of the kneejerk reaction of completely disabling Javascript. (Either through the browser or with NoScript) This way locally hosted scripts work just fine, but any external scripts are blocked.

I think this is a nice balance of usability and security. Websites requiring Javascript work just fine and I'm protected from possible infections from externally hosted scripts.
 

Ramblin

Level 3
May 14, 2011
1,014
Earth said:
Do the benefits of JS out-weight the negatives?
To me, the benefits of disabling JavaScript outweighs any negatives. In my case, there are none.

Not only I am safer, webpages are cleaned out of jumping ads and stuff that is distracting. By blocking those distractions, I am able to focus on what I am doing.

Pages also open faster and in my case, the internet is more enjoyable because I block JavaScript. To me, NoScript is a wonderful program that is really easy to learn and get used to it. Most of you know how I feel about SBIE, I feel the same away about NoScript.

Bo
 
I

illumination

bo.elam said:
Earth said:
Do the benefits of JS out-weight the negatives?
To me, the benefits of disabling JavaScript outweighs any negatives. In my case, there are none.

Not only I am safer, webpages are cleaned out of jumping ads and stuff that is distracting. By blocking those distractions, I am able to focus on what I am doing.

Pages also open faster and in my case, the internet is more enjoyable because I block JavaScript. To me, NoScript is a wonderful program that is really easy to learn and get used to it. Most of you know how I feel about SBIE, I feel the same away about NoScript.

Bo

I have to agree fully with this. I use Noscript and Request Policy together, gives me great control as well as the pages loading faster.
 

HeffeD

Level 1
Feb 28, 2011
1,690
bo.elam said:
To me, NoScript is a wonderful program that is really easy to learn and get used to it. Most of you know how I feel about SBIE, I feel the same away about NoScript.

The biggest problem I have with NoScript is its author. From the way he's interfered with both the AdBlock Plus and Ghostery extensions, he's definitely not a guy I trust. Definitely not the behavior I'd expect from the author of a self-purported security extension.
 

Gnosis

Level 5
Apr 26, 2011
2,779
I killed JAVA a while back, and NoScript is deactivated on this PC. It's a two-for-one sale.
 

Littlebits

Retired Staff
May 3, 2011
3,893
I believe some of you are confusing Javascript with Java Runtime apps, they are not the same.

Javascript is a program language included within all browsers (you can't remove it but can block Javascripts with NoScript and many other methods according to which browser you are using).

Java Runtime must be install separately to run web apps that need Java Runtime. Some users will never need Java Runtime where other users will need it to run their programs.

If you uninstall Java Runtime, your browser will still use Javascripts unless you have manually disabled them with an extension or other method.

Enjoy!!:D
 
I

illumination

HeffeD said:
bo.elam said:
To me, NoScript is a wonderful program that is really easy to learn and get used to it. Most of you know how I feel about SBIE, I feel the same away about NoScript.

The biggest problem I have with NoScript is its author. From the way he's interfered with both the AdBlock Plus and Ghostery extensions, he's definitely not a guy I trust. Definitely not the behavior I'd expect from the author of a self-purported security extension.

Did a little research on this..

Wladimir Palant "Author of Adblock Plus" pointed out that this filterset kept being re-added on each startup even though it was deleted by the user, but this was likely just an unintentional bug, since the whitelist could still be disabled permanently and/or overridden by the user's own blocking filters as explained in NoScript's FAQ

NoScript update (version 1.9.2.6) completely removed the Adblock Plus whitelist, and public apologies were given on the release notes page for having modified Adblock Plus' behavior without asking users' consent in advance.On May 4, 2009, in a long blog post, NoScript's author personally apologized for the initial obscure approach, recognizing it had been a breach of trust and declaring his contrition. He also explained that the Adblock Plus whitelist deployed by NoScript was intended as a countermeasure against unusually aggressive EasyList entries specifically targeting Maone's websites, which broke almost all the dynamic functionality and even the links to install the NoScript software package itself.

Source

It seems it was not completely intentional, even though it had caused issues, and also seems it was made right as well.
 
I

illumination

Guess i should reword that last statement, the filterset being re-added on each startup was not intentional. I find that ad block killing the functionality of his website and downloads to be just as you stated "Definitely not the behavior I'd expect from the author of a self-purported security extension" as well..
 

HeffeD

Level 1
Feb 28, 2011
1,690
thewolfsmith72 said:
It seems it was not completely intentional, even though it had caused issues, and also seems it was made right as well.

It was completely intentional. You left out the good bit. ;)

On May 1, 2009, Wladimir Palant, author of Adblock Plus, a well-known Firefox extension, announced that one week earlier, NoScript version 1.9.2 had started interfering with the functionality of Adblock Plus. It allowed NoScript's sponsor's sites to be interpreted and displayed without the consent of Adblock Plus or the user. Palant said that NoScript had been using obfuscated code to avoid detection of this modification through the use of Unicode hexadecimal encoding. Almost immediately, Mozilla Add-ons decided to change its guidelines regarding add-on modifications. The April 30 version 1.9.2.3 update to NoScript, though, had already replaced the allegedly obfuscated code with a user-visible and documented Adblock Plus filterset whitelisting NoScript's sites.

The only reason to obfuscate something is to keep people from seeing what you're trying to do. It was no accident.

Mozilla felt the same way, which is why they needed to restructure the extension updating method.

The part you quoted is referring to the fact that the whitelist would come back every time you restarted your browser even if you had manually deleted the additions added by NoScript from within ABP.

And yes, Giorgio apologized, but does that make up for the fact that he was purposefully screwing around with other extensions because they were interfering with the money making capabilities of his website?

Think about it. ABP was blocking the ads on his site, so he added secret code to add his sites to the ABP whitelist.

And Ghostery would of course show that the AdSense web bug was active on his site, so what does he do? He manipulates the CSS on his website to hide the Ghostery popup.

That's pretty shady behavior, don't you think?

Edit: Ah, sorry. You made another post while I was typing this up. :blush:
 

Ramblin

Level 3
May 14, 2011
1,014
HeffeD said:
The biggest problem I have with NoScript is its author. From the way he's interfered with both the AdBlock Plus and Ghostery extensions, he's definitely not a guy I trust. Definitely not the behavior I'd expect from the author of a self-purported security extension.

Heffe, that's an old problem that was resolved a long time ago.To me whats important is that both addons are great and work together very well. I use both, I like both.There are things that I do with NoScript and other things that I can only do with Addblock.

For example, I block about 400 trackers with NoScript, something that it can not be done with Addblock. Googleanalytic follows you everywhere you go in the net. When I am browsing, analytic stays home. On the other hand, when I am watching videos in Youtube, Addblock not only blocks adds for me, I have a filter to block the very annoying annotations that some videos show.

Both work great, specially when running Firefox sandboxed. Nothing beats that.

Bo
 
I

illumination

HeffeD said:
Edit: Ah, sorry. You made another post while I was typing this up. :blush:

It is all good :) that's why i added the post under it with rewording, as i looked at it and realized it could be taken a couple different ways.

I have to agree with bo.elam, that was long ago, and both addons work great together now. I actually go a step further using Request Policy with Noscript and Adblock Plus.
 

Exterminator

Community Manager
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Earth said:
Do the benefits of JS out-weight the negatives?

AFAIK, all software is a SECURITY risk, and increased when connected to the World Wide Web (aka Internet).

Edit: Disabling all JS has a negative effect when web browsing, surely. I think I'll leave mine enabled.

Edited

I second that opinion
 

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
I keep my Javascript enabled.

I've tried NoScript before, Didn't like the fuss and huss of broken websites and having to constantly spend time adding rules, white listing etc. Well certainly not for my day to day browsing life.

I do however use it with Tails for when privacy is an utmost importance along with a VPN.

These days I use Ghostery, AdBlock Plus, BetterPrivacy and they do the job for me.

Screenshots related.

y1PMi.png

If you don't want to use Ghostery, You can also use Fanboys Tracking List for AdBlock Plus. I don't advice using both together tho.

UehyH.png

Thanks.
 

HeffeD

Level 1
Feb 28, 2011
1,690
bo.elam said:
For example, I block about 400 trackers with NoScript, something that it can not be done with Addblock. Googleanalytic follows you everywhere you go in the net. When I am browsing, analytic stays home.

Google Analytics is a bit tricky because blocking the script can break many web pages. You can use the EasyPrivacy filter to ABP which will allow the script (so as not to break the page) but block the request to Google. (Much like Google's own GA opt-out add-on)

Or, you could add a filter yourself to block GA, and deal with the broken pages. (Maybe you don't visit any pages that break without the script)
Code:
||google-analytics.com^

The EasyPrivacy filter is a filter specifically for trackers and web bugs. In fact, during my Ghostery testing, while using the EasyPrivacy filter, Ghostery never found any trackers to block... (ABP acts before Ghostery)

And for XSS blocking, I prefer RequestPolicy.
 

Ramblin

Level 3
May 14, 2011
1,014
Hi Heffe, I hear all the time what you and a couple other guys are saying here, "NoScripts breaks too many pages". In all honesty and I mean honestly, I just don't feel it at all. I mean I go to all kind of sites, same sites all the time but the list of bookmarks gets bigger and bigger and I don't have any site that I cant take care of by temporarily allowing scripts.

People also complain about white listing sites like if it was something that you have to be constantly messing around with. Personally, I only have eight sites that I white list. Last time that I changed something in that list was one year ago when Megaupload was killed. After Mega disappeared, I took it off my tiny white list.

Using NoScript makes sense, it should make sense to people that come to security forums. I mean, anytime we read something about it (security wise), it is positive and experts are always recommending it.

I started using NoScript about four years ago, right at about the same time that I discovered SBIE. I didn't understand it at first, I mean it took some time to learn how things work but eventually everything started to make sense. I took a no nonsense approach about it and it worked.

Alike Sandboxie, I learn something new every other day about NoScript. I don't see that as "the program being difficult" but as the program being exciting as their is something new to be discovered and learned every so often. I wouldn't change my NoScript for any combination of the paid security programs that we talk about here. Thats how I feel about this wonderful program.

Breaking pages, no, not for me, actually (the way I see it), it cleans pages of disturbing and annoying stuff. I can focus better in what I am doing.

Bo
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top