Extra caution is recommended when installing recently uploaded/updated scripts (read more)
Be sure you trust any scripts you install
Fix Web
If you like JavaScript and are not worried about its use you won't need this script.
An alternative to this script
I started to use the `capability.policy.' preference branch to restrict the use of JavaScript. It allows to tell the browser on which websites it is allowed to enable JavaScript. It's a way of whitelisting good sites. You can also blacklist bad sites instead if that is what you want.
To whitelist sites do as follows:
- close your browser
- locate your user.js file
- add these lines to the file:
user_pref("capability.policy.default.javascript.enabled", "noAccess"); user_pref("capability.policy.jsok.javascript.enabled", "allAccess"); user_pref("capability.policy.jsok.sites", "http://www.good-site.org http://www.another-good-site.org"); user_pref("capability.policy.policynames", "jsok");
After restarting the browser, JavaScript should only work on the sites specified. By the way, you can also use the NoScript addon, which does a lot more then just that.
Main Features
SWFObject
SWFObject is a small Javascript file used for embedding Adobe Flash content.
Fixweb attempts to show embedded content on untrusted sites where JavaScript is disabled. SWFObject [1, 2] is a small framework for doing so if JavaScript is enabled. It's one of many(?) non-standards but widely used.
Flash Player Detection Kit
The Flash® Player Detection Kit helps developers implement robust player detection for a variety of deployment environments by providing a set of templates and techniques to successfully detect the version of Flash Player installed on a user’s computer...
After I had so much fun with the SWFObject I played around with the Flash Player Detection Kit.
Unobtrusive Flash Objects (UFO)
UFO is a DOM script that detects the Flash plug-in and embeds Flash objects (files with the .swf extension).
UFO does the same thing as the others but different. The focus is also another.
onClick to Link
This script also attempts to find urls in onclick attributes of anchors, buttons and input[type='button'] and transforms them into anchors (links) with an normal href attribute.You could comment on this script if you were logged in.
login to vote
What I try people to understand is that they should make a choice about when to enable JavaScript. Everyone should use JavaScript as I described in the beginning `An alternative to this script'. You should whitelist trusted sites so that all other sites cannot use JavaScript. Use the NoScript addon if you don't know what I'm talking about, but don't give up on using it!
This script has changed its goal a few times and has become (or always was) superfluous in relation to enabling/disabling JavaScript, but it's fun to play with it.
Again, what this script does *now* is to show embedded content (such as flash/videos) on sites where JavaScript is disabled. On sites I don't trust I do not *ever* want to allow execution of JavaScript. But if there is some embedded content on the untrusted site which this script can show then I am happy to look at it. There is also a problem with misbehaving embedded content, but I didn't give it so much thought.
I don't know how you tested it but disabling JavaScript has no effect on Greasemonkey whatsoever (Firefox v1.5-v3.0pre). Greasemonkey works with JavaScript disabled!
login to vote
Am I missing something here? I need Javascript to run any script on this site. If I disable Javascript, I can't use Greasemonkey. If someone doesn't want Javascript, they can either just disable it or use the NoScript Firefox extension.
login to vote
At the moment I don't have time to write a documentation, but I agree it might help to understand what I try doing. It's alright for me to answer each comment, since there are not that many. As soon as there are too many people asking what this script is about I might change my mind and write a documentation.
This script is for those who surf the web with JavaScript *disabled* most of the time. These people only turn JavaScript on when they trust a website and there is no functionality in this script for that website. I am one of those persons.
This script tries to show/allow content on famous websites like YouTube, MySpace, Imdb, aso. with JavaScript still disabled. I try to let my JavaScript disabled as much as possible. I have a button in my status-bar which allows me to enable/disable JavaScript, so that whouldn't be a problem even if I have to enable JavaScript.
If this script would ever be complete :) there would only be JavaScript executed by this script and not by any website. *I* trust this script more then any JavaScript coming from the web. *You* (the users) can choose to trust me and use this script and come with new ideas/comments or <state>.
There are problems I am aware of. For example I use the `eval' function to execute cut-out script-snippets from websites. What could happen is that a site changes and tricks this script to execute dangerous code. I don't expect this to happen but nothing is achieved if that still can happen and so I will take care of it soon. I'm just lazy and (re-)use the code where I can.
Kind regards,
Kim</state>
login to vote
Perhaps you could have a "document" link - maybe just a page with the details of how your script operates.
An example
IMDb Weaver
http://userscripts.org/scripts/show/6602
has two links. One is a changelog. The other is a doc.
That would add to clarity. And clarity can only be good.
The idea behind your script is excellent. People should be wary and careful of something as powerful as javascript. But I must admit I don't understand that it is that your script =does=.
Even after installing it - I wasn't sure what it was doing and the title "Surf the Web without JavaScript
"
doesn't make any sense to me. It's disabled for now.
At a site like youtube are you blocking javascript code and creating your own (non-javascipt) code to do the same thing?
Also I might be missing something - but wouldn't your script function best as a Firefox add-on? That way you could give the user info about what sites it is designed for and what it's doing on a site.
login to vote
Don't get me wrong by everything I throw at JavaScript. Of course it is not JavaScript that is bad, but the way it's implemented[1, 2, 3].
It is a fact[2, 4] that JavaScript can be (mis)used to start an attack and in rare cases[2] directly from inside a bowser. That was also my `Point n' in a previous post, to see what will happen when Version 1.7 of Javascript will be implemented.
``JavaScript provides an interface to a wide range of browser capabilities, some of which may have flaws such as buffer overflows. These flaws can allow attackers to write scripts which would run any code they wish on the user's system.''[4]
What can be realised with the Bug 369814 which I posted before is the following. I didn't try it myself though :|
``A common JavaScript-related security problem is cross-site scripting, or XSS, a violation of the same origin policy. XSS vulnerabilities occur when an attacker is able to cause a trusted Web site, such as an online banking website, to include a malicious script in the webpage presented to a victim. In that example, the script can then access the banking application with the privileges of the victim, potentially disclosing secret information or transferring money without the victim's authorization.''[5]
I think we all (userscript-creators/-users) like JavaScript, since we create/use all these scripts (written in JavaScript). But I also think that many people don't understand the `danger' of trusting their programs *blindly*.
We may understand or even underestimate the danger of client-side code execution since we know a little about what is going on but what about others who maybe don't even know that there's such a thing as code coming from the web and executed locally on their machines.
Even userscripts.org is showing a sign of `danger'[6] when it comes to trust userscripts (JavaScript).
``Extra caution is recommended when installing recently uploaded/updated scripts (read more)
Be sure you trust any scripts you install.''[6]
There are even bigger security implications when it comes to injection of scrits into your browser, such as with Greasemonkey. Take a look at what can happen[7] without having security in mind.
``Web browsers are capable of running JavaScript outside of the sandbox, with the privileges necessary to, for example, create or delete files. Of course, such privileges aren't meant to be granted to code from the Web.''[8]
That's it for now ;)
[1] Cross-site scripting - Background
[2] Mozilla Cross-Site Scripting Vulnerability Reported and Fixed
[3] Cross-site scripting - Real-world examples
[4] JavaScript - Browser and plugin coding errors
[5] JavaScript - Cross-site vulnerabilities
[6] Cookie Stealing Scripts
[7] Mandatory Greasemonkey Update
[8] JavaScript - Sandbox implementation errors
login to vote
But that jar XSS hazard has nothing to do with Javascript.
You sound a bit paranoid to me. Javascript is not bad and it can't install spyware on your machine nor upload sensitive information to someone else without your knowledge. The key phrase there is "without your knowledge". Sure, javascript can help to do these malicious things, but you need to do something else in order for the exploit to work and this is almost always a social engineering thing. So it's not javascript's fault, it's people's fault for not being wary on the internet of links that say "Install this software for some free porn!"
login to vote
I found a few links that show my concerns about having JavaScript enabled, Raffles.
http://www.gnucitizen.org/blog/web-mayhem-firef...
http://www.kb.cert.org/vuls/id/715737
https://bugzilla.mozilla.org/show_bug.cgi?id=36...
!! It is an old bug (9 month) and has not been fixed yet !!
login to vote
I am sorry to say that it is the same as with `ubdesigner.com'. Both sites depend heavily on JavaScript being enabled. I am sure there can be made some kind of compromise to run the sites without JavaScript, but it should not be me who decides.
Cheers
login to vote
Inbox.com's e-mail uses javascript, though I just realized you might need an inbox account to update your script for it :/
login to vote
bobielawlintine, what functionality would that be?
Also if anybody feels like it he/she can write code for his/her favorite websites. You are welcome to take a look at how I do things (It's pretty messy when it comes to locate elements in code without a id/name). You can send me your snippets or maybe somebody would like to start a project on this topic!?
login to vote
Thanks so much Kim. I appreciate your work.
Also one more site: (my.)inbox.com so I can access my email.
login to vote
bobielawlintine, we can now add comments at `userscripts.org' without javascript enabled ;)
Unfortunately I didn't make the `ubdesigner.com' site work. It's a javaScript web-application and needs javaScript enabled to work properly. It is too big of a job for me at the moment.
The ``scroogle scraper'' at `scroogle.org' and also `google.com' now focus the search field.
The `Quick Reply' works on `wilderssecurity.com' but I don't know how to get the `Quick Edit' working. The problem is (I think) without javaScript there is no way of realising a click on the `Quick Edit'-link and then load the Editor into the current page. Please correct me if I am wrong.
Cheers
login to vote
Two other sites: userscripts (to add comments) and ubdesigner (to start the designer).
login to vote
Id like scroogle scraper to be added. It doesnt need it, but I like having js enabled on it so the cursor automatically shows in the search text area.
Also Id like wilderssecurity.com added so I can use the Quick Edit and Quick Reply features.
login to vote
Then let me show you Raffles...
Point 1:
I use Firefox version 1.5.0.12. I like it and don't want to make the switch at the moment. To not expose myself to too many known exploits I disable JavaScript and enable it where I need it, by `fixing' a page. When I trust a site completely (myBank, myProjects, ...) then I enable JavaScript, of course.
Point 2:
I dislike everything that has to do with tracking people on the web, which most of the time is related to JavaScript. Google is doing a great job providing their ads on peoples websites and thereby having a good overview (tracking) about what people are interested in. I guess it makes sense to know what people want, to be able to steer the company in the right direction.
Point 3:
As you mentioned, pup-ups (which I don't like) can be realised with JavaScript too and can be worse then you think. It might bring you into jail.
Point n:
I am knowingly at risk right now when I enable JavaScript and browse the web. I hope everybody is up to date with their software and will never visit any `dangerous' sites. That might protect you `quite well'. But even updated browsers are not `secure', only `more secure'. That is relative since as soon as there are new features it could mean new security issues -> bugs -> exploits. Just search for firefox+javascript+exploit to understand what could happen when browsers try to implement the new version of JavaScript 1.7.
Cheer up!
login to vote
I don't see the point, to be quite frank. Any security concerns people have about Javascript are quite well covered natively by Firefox. There's nothing dangerous or evil about Javascript. At most you might get a sly popup slipping though but that's about it.
login to vote
You have some good points here Mikado, but...
I don't intend to merge existing scripts with this one. It should consist of small snippets of code for each site enabling the `most important' features on that site (no extended functionality). On sites like YouTube.com a code-snippet would allow you to watch video-clips and see the related-videos with JavaScript disabled.
This script is at the moment at 8.7 kB with 4 sites supported. The average size of a code-snippet is less than 2 kB. I don't know how big this script will/is allowed to grow, but I am willing to try and see what will happen. Fixing all sites on the Internet is in the end a pretty big job ;-)
I didn't need the regular-expression in THIS script (so I removed it), but it's not as bad/slow as it (maybe) looks like ;-)
And yes, I still think that maybe not this script but the idea behind it is a fine one. Please let me know if you have problems with this script (e.g. slow or so) or if you know about similar projects going on.
The last thing I want everyone to understand is:
If you like JavaScript and are not worried about its use you won't need this script.
login to vote
That's what I thought notyou. If you have a site which should be ``set free'' let me know.
login to vote
So, you're going to merge scripts in one? It's a really bad idea. Imagine your script gets popular and contains 100 scripts, 5kb each (not mentioning we have Google Maps and Wikimapia with insanely huge scripts). It will be a 500Kb monster script. Imagine you have 10 tabs opened, each containing 3 iframes. You'll have you script loaded and executed 30 times, creating 30 outrageous regexps just for fun, and doing some job matching location (GM can do this for you, but you want to do this yourelf too). Do you still think it's fine? What I think, it will be better to enable JS globally rather than using this script!
login to vote
umm this only works for youtube?? dont get me wrong cuss that alone is a great idea (could youtube BE any more s l o o ow already hahah)
login to vote
You are right Mikado I changed the name to something more explanatory about the scripts current state.
Also, a short description and something about my motive you can find in the `COMMENTS' section (see above or in the script).
login to vote
The title is a little too loud for what the script currently does... Could you call it "Youtube for Noscript" or something and describe accordingly?
login to vote
What I try to do is motivating people to disable/control the use of JavaScript.
This script only makes sense if JavaScript is disabled!
The script is correcting the missing behaviour of sites like YouTube.com (and hopefully others in the future) when JavaScript is disabled.
login to vote
Oh ignore my previous comment. I thought your script was trying to disable javascript. My bad.
login to vote
Since greasemonkey runs after a page has loaded, wouldn't disabling javascript be a futile exercise since the javascript has already loaded?