Replied in thread
@PabloMartini That's why one needs to use #UblockOrigin and espechally #NoScript to block #Google's Servers & Services!
- Same goes for #NSAbook, #ClownFlare and others...
#noscript
0 posts0 participants0 posts today
Nobody: "How much bullshit can we shove into our website?"
#deel: YES!
And that's just the crap that #uBlockOrigin and #NoScript caught:
deel.com
api.deel.com
app.deel.com
amazonaws.com
a569f72b706584c51b5f33f0e47ccd30-e12968bbf00b014c.elb.eu-west-1.amazonaws.com
wiki.deel.network
braze.com
sdk.iad-06.braze.com
cal.com
app.cal.com
calendly.com
assets.calendly.com
chilipiper.com
js.chilipiper.com
com.cdn.cloudflare.net
api.deel.com.cdn.cloudflare.net
api.deel.com
d20qeu5vw8i5t2.cloudfront.net
cdn.zapier.com
d3kz3mviooatoq.cloudfront.net
avatars.slack-edge.com
deel.network
wiki.deel.network
deel.tools
openreplay-new.deel.tools
google.com
apis.google.com
www.google.com
googletagmanager.com
www.googletagmanager.com
gstatic.com
fonts.gstatic.com
www.gstatic.com
k8s-openrepl-awsalbin-ed4c403a34-602701419.eu-west-1.elb.amazonaws.com
openreplay-new.deel.tools
letsdeel.com
media.letsdeel.com
s3.amazonaws.com
sammylabs.com
api.sammylabs.com
sentry.io
o265775.ingest.sentry.io
slack-edge.com
avatars.slack-edge.com
stripe.com
js.stripe.com
m.stripe.com
q.stripe.com
stripe.network
m.stripe.network
stripecdn.map.fastly.net
m.stripe.network
zapier.com
cdn.zapier.com
…deel.com
…braze.com
…cal.com
…calendly.com
…chilipiper.com
…deel.network
…deel.tools
…google.com
…googletagmanager.com
…gstatic.com
…s3.amazonaws.com
…sammylabs.com
…stripe.com
…stripe.network
…zapier.com
Seriously, I get that not everyone is able to do #accessible and #performant #forms and #Websites and that #JavaScript is trendy and hip.
- But this seriously isn't funny anymore, but insulting!
Microsoft sure has an awful lotta domains. #NoScript #Microsoft (and oh look there's #Amazon there too #aws).
Replied in thread
@vfrmedia the good thing for sites like @vantablack 's is that I can just allow her site with two clicks in #NoScript.
Replied in thread
@sjmulder : door verschillende browsers te gebruiken heb ik daar minder last van. Vooral Firefox met NoScript (meestal op mijn Android smartphone) geeft mij enorm veel rust. Soms kan ik pagina's met paywall geheel of grotendeels lezen (zie screenshot).
Je hebt wel een leercurve voor NoScript en Firefox heeft ook nadelen (zie bijv. https://infosec.exchange/@ErikvanStraten/114341143568071368 en de follow-up toot over NoScript).
Vaak werkt het als je de primaire partij toestemming geeft om JavaScript uit te voeren, maar derde partijen niet toestaat (waaronder 3rd parties met namen waar "cookiebot" in vóórkomt).
Firefox Focus ondersteunt geen NoScript, maar is het meest privacy-vriendelijk doordat alle geschiedenis gewist wordt bij het sluiten van de browser. Sowieso belangrijk, maar in deze browser helemaal (omdat HSTS niet werkt): zet "https only" aan. Dat betekent dat je *gewaarschuwd* wordt bij onveilige http-verbindingen, die je vervolgens wél kunt toestaan.
Wat ook helpt is als tooters geen "URL-verkorters" gebruiken, zodat je kunt zien naar welke website de link leidt.
Ten slotte probeer ik vaak het m.i. belangrijkste stuk te quoten, of een screenshot te plaatsen (zo mogelijk mét Alt tekst). Dan HOEVEN lezers niet op links te klikken/drukken.
Restyling completed!
Now the site works just fine even with #Javascript totally disabled. But if you expect to listen to my podcast using the built-in player (which is handwritten) this will not work. However I placed several <noscript> tags explaining here and there what is not expected to work without JS.
At least all the content is readable and also rendering works just fine even after stripping almost half of the original CSS.
- A reputable anonymizing VPN service
- Linux
- Firefox (or compatible) web browser
- HTTPS-Only Mode
- Noscript
- User-Agent Switcher
These are some easy things that will keep you safe in the age where you shouldn't trust *anything* your device connects to online.
Replied in thread
Yeah, I used to use #NoScript like @sotolf does, but with some sites like banking and "professional" websites, it's a trip and half to get the site to work at all, then to work in non-Chrome browsers, then to work with uBo/PrivacyBadger/CanvasBlocker, then adding NoScript to all of that jazz would really send me loopy. XD
But I think it's totally valid to have a "general browsing" browser that's locked down like Fort Knox, and then a very vanilla one for "don't break on me, cheems!" work sites.
I dunno. :P
Replied in thread
@otte_homan deshalb nutz' ich es nur noch um bestimmte Channels und deren Uploads zu gucken.
Ohne #NoScript, #uBlockOrigin & #SponsorBlock ist es unbenutzbar!
Replied in thread
...#JavaScript off, e.g. with the #NoScript add-on) reduces the #surveillance in your life.
(Alas, Java script is necessary for a lot of websites.)
//
Replied in thread
@ColetteDiskette I use #NoScript & #DarkReader to stop that nonsense...
Replied in thread
@ezra yes and it seems #Google actively.fights against users of #NoScript, #uBlockOrigin and #SponsorBlock.
- Sometimes only the first 60 seconds of a video get loaded...
Replied in thread
@karlauerbach nodds in agreement
#DNT of course can be ignored technically serverside and it's strictly speaking an #ask that #TechIlliterates who don't know how to use #NoScript can't really enforce...
- Still I want this to get teeth!
Replied in thread
@NocturnalNessa @kasdeya yes, it's called #NoScript and the existing security settings...
- My favorite is to "go full asshole" on shitty websites and use @torproject / #TorBrowser on them with highest #security settings = #NoJS!
Infosec.SpaceKevin Karhan :verified: (@kkarhan@infosec.space)@kasdeya@tech.lgbt ...and there is *never a legitimate reason* when we can see all kinds of websites that work entirely without it!
Replied in thread
@aral @SecurityWriter +9001%
Like #uBlockOrigin (and #NoScript) - the (former) being included in @torproject / #TorBrowser!
Reporting back to the fediverse from #LibreWolf after #Firefox #Mozilla @mozilla decided to commit seppuku. For a seasoned GNU/Linux user, following their guidelines for setting up a deb repo and setting some custom overrides to my preference was simple enough. I currently have the "letterboxing" feature enabled, which shrinks the main viewport to a common denominator for antitracking purposes. Not sure if I'll keep that or not. It looks a little silly with the contrasting white background against every website's non-white background, but... that's really just me noticing it 'cause it's new. I'll try it out for a few days at least.
I also disable the "clear everything on close" preferences. If I need that kind of paranoia, there's TAILS.
My ~/.librewolf/librewolf.overrides.cfg:
```
defaultPref("privacy.resistFingerprinting.letterboxing", true);
defaultPref("network.http.referer.XOriginPolicy", 2);
defaultPref("privacy.clearOnShutdown.history", false);
defaultPref("privacy.clearOnShutdown.downloads", false);
```
Porting over my #TreeStyleTabs was easy enough (copy the `chrome` dir from the firefox profile to the new librewolf profile), and LibreWolf even has a handy "Allow userChrome.css customization" option in the settings to avoid needing to dip into `about:config`. Guess they know their userbase.
Adding back my other add-ons was simple enough too. Exported my #NoScript settings and re-imported them (*that* would truly be a pain to rebuild back up). Did the same thing for bookmarks. Not going to bother for #uBlockOrigin. I didn't have enough custom stuff in there to really matter and it's installed by default in LibreWolf anyway.
Now I'm logging back into my common websites.
I decided against "copy over the profile directory" just to have a fresh start. Not sure if that approach would work or not. I figure there's years worth of cruft built up in my firefox profile directory and I could do with a refresh.
So far, so good. School stuff is working. Banking is working. All the fediverse stuff is working.
I consider moving to LibreWolf a temporary solution, especially given their "we purposefully don't take any money so we can reserve the right to abandon ship whenever" approach to governance. It's high time a viable alternative to surveillance capitalism took root. I suspect I'll eventually end up contributing to whatever project looks most promising towards that end. #Servo plus some other chrome/wrapper around it, #LadyBird, who knows.
Replied in thread
WHAT ABOUT #THXBYE #EOD IS NOT CLEAR?
https://infosec.space/@kkarhan/112869106970638471THE WHOLE #ADBLOCKING STUFF LIKE #NoScript SHOULD NOT HAVE A REASON TO EXIST TO BEGIN WITH!
I AVOID THAT SHIT BECAUSE IT IS A NET NEGATIVE TO THE WORLD, LIKE #WINDOWS, AND THUS I WON'T WASTE TIME OR ENERGY HAVING TO CLEANUP DIGITAL FECES FROM MY TRAFFIC AFTER I GOT.IT SHIT ALL OVER THE WEB!!!
THERE IS NO LEGITIMATE REASON FOR #JavaScript WHEN THERE ARE AMPLE OF RICH WEBSITES, ESPECHALLY #OnionServices SHOWING THAT THEY DON'T NEED THAT SHITE!
Infosec.SpaceKevin Karhan :verified: (@kkarhan@infosec.space)@hj@shigusegubu.club @radmin@limepeeps.perchinup.top @SuperDicq@minidisc.tokyo Well, no.
That assumes I'd install such garbage to begin with!
And yes [JS is malware]( https://mastodon.sdf.org/@gnemmi/112869080794988869 )...
- There's no reason for something like that to require a fucking app when 25+ years ago a goddamn website would do just fine...
But hey go live in the dystopian world where everyone but you is a #TechIlliterate #Zoomer...
I've got more pressing things to do than debate bs.
#thxbye #next #EOD
Replied in thread
The problem is not what those malicious scripts can do but that your vanilla chrome or mozilla firefox will default in allowing ALL scripts offered in a website, wether local to the site visited or client (google being the #1 most used set of scripts running on commercial websites).
#NoScript is a burden, and so is being protected, private, anonymous. Learn to discriminate what you allow and what not to.
#Ublock origin, is not only about blocking ads but blocking intrusion.