[ overboard / sfw / alt / cytube] [ leftypol / b / WRK / hobby / tech / edu / ga / ent / 777 / posad / i / a / R9K / dead ] [ meta ]

/tech/ - Technology

"Technology reveals the active relation of man to nature"
Name
Email
Subject
Comment
Flag
File
Embed
Password (For file deletion.)

Matrix   IRC Chat   Mumble   Telegram   Discord


File: 1627879257222.jpeg ( 53.65 KB , 1200x630 , javascript.jpeg )

 No.10548

This guy wrote an interesting article on using popular sites with javascript disabled:

https://www.smashingmagazine.com/2018/05/using-the-web-with-javascript-turned-off/

His experience was that news sites/blogs tended to "mostly" work while most other sites were utterly broken.

WHAT IS /TECH/'S OPINION ON JAVASCRIPT?

I know many on the channers totally disable js in the browser since Stallman wrote an article against javascript many years ago, additionally many are paranoid about browser zero days used by glow in the darks. Finally a ton of people just see javascript heavy sites as being bloated and overengineered, having slow load times and discriminating against minimalism and third world users with slower internet.

With more and more sites using SPA frameworks like vue, react, and angular, and less and less apps doing server side HTML rendering, javascript-disablers are quickly becoming a tiny minority.

What do we think about js vs nojs/noscript?
>>

 No.10549

We need a web debloat tool that only renders the necessary parts of a website, or we just migrate more to gemini
>>

 No.10551

>>10549
the problem with bespoke protocols like gemini is that they're less accessible than HTML since everyones already got an HTML browser, second of all gemini doesn't support forms AFAIK so no post operations which means no chat rooms, forums, social media, hell, not even images.

Making a barebones app with a subset of html/css and no javascript is probably a better alternative
>>

 No.10552

>>10551
>second of all gemini doesn't support forms AFAIK so no post operations
It does in a limited way
https://gemini.circumlunar.space/docs/specification.html
See the INPUT section, but it doesn't allow forms with multiple fields and such easily. Though you can probably still send a delimited string in the META line I guess and return a similarly delimited string as a query string for multiple field input, as long as a client program makes this seamless, it could work like a rudimentary form.
And client TLS certificates can be used for authentication, so there is a rough idea for how to do form input on gemini.
However, the whole point of gemini is that it's not supposed to be an "all-in-one" protocol like HTTP seems to have become (and that's why writing a good browser engine is so hard these days that everyone is defaulting to using Chrome's engine). So if you want chat rooms, forums, etc. those would best be implemented as separate protocols from gemini, so something like IRC or similar for chat, BBS style boards for forums, etc.
A gemini client could inline images also, nothing really stopping clients from doing this, but it'd go against the whole point of gemini.
>>

 No.10554

>a reactionary yearns to overturn a present condition of perceived decadence and recover an idealized past
Gemini is reactionary.
>>

 No.10555

>>10554
>overturn
go back
>>

 No.10556

>>10554
it's definitely not that, the people that make it are annoyed by how bloated and sluggish the web is, they are trying to build something lightweight not something retro. And they aren't trying to overturn the web either, they specifically say that Gemini is not supposed to replace the web.
>>

 No.10558

>I know many on the channers totally disable js in the browser since Stallman wrote
That's a horribly stupid reason to do anything.
I disable/selectively-enable javascript to:
>reduce tracker fingerprint
>remove some ads
>improve security

Where practical, JavaScript should be optional.
>>

 No.10560

The greatest cancer ever visited upon the web, responsible for our modern situation where web browsers are being transformed into fucking operating systems. Browsers have no fucking business being the most demanding piece of software that computer hardware interacts with on a daily basis.
>>

 No.10561

>>10548
>Sometimes the issue isn’t with the user but with the CDN delivering the JavaScript. Remember in February 2017 when Amazon’s servers went down? Millions of sites that rely on JavaScript delivered over Amazon’s CDNs were in major trouble, costing companies in the S&P 500 index $150 million in the four-hour outage.
I don't like JS in my own life, but the above makes JS sound very based. Porky should absolutely rely on JS even more.
>>

 No.10562

>>10555
>>10556
No it is fucking reactionary.
The problem of bloated corporate websites is real, but anarcho-primitive protocols won't solve that.
The justifying reasons are all bullshit.

>Gemini is not supposed to replace the web.

A subset of the web (text and hyperlinks) necessarily competes with the web regardless of your intentions.
Why not just limit yourself to text only websites? Why not use gopher? Why not make a web search engine that only allows non-JS sites, and kicks sites out if JS is detected?
The purity criteria are completely arbitrary. That's the core problem with all these shitty little projects. They don't move forward in a better direction, rather they look backwards to the 'out of academia' origins of the internet, which simply will never happen again.

Gemini is worse than F tier
Tim Berners Lee Solid is D tier. It internalizes the dominant app/data paradigm, yet still has no chance of adoption.
IPFS is also D tier. Immutable content? Yeah nobody gives a fuck. It would be C tier, but it's now associated with shitcoins.
Dat might be B tier. Public key addressing is definitely the correct paradigm for a web addendum.

Doesn't matter though, because cargocult protocols won't free the internet from corporate control.
>>

 No.10564

>>10562
>won't free the internet from corporate control
why are people expecting this? this has never been stated as a design goal for gemini.

The web isn't bad and it doesn't need "saving" because it hasn't been put under peril by some nefarious group. It has progressed in the exact direction people wanted. People wanted integrated logins with their twitter and facebook accounts, they willingly uploaded their information and shamed others into doing the same so that they could do the same social dance online that they do IRL. The web is fine as it is and it is going to chug along and will continue to cater to its target audience.

Some people don't like the web experience however, and gemini gives them an easy alternative and it's nice that it maintains that break between HTTP and gemini because I don't want the "web experience" when I am just trying to browse some information on gemini. That it makes the HackerNews types seethe with rage when they realize that people are ignoring their painstakingly built identity of "people-first, web-scale, socially-aware, mobile-ready DiSrUpTiVe app entrepreneurs!" is just icing on the cake, but it's not the main objective.
>>

 No.10565

File: 1627922179229.png ( 24.95 KB , 249x300 , webp_is_great.png )

>>10564
>makes the HackerNews types seethe with rage
Ahaha you use gemmni to trigger the libs. I knew your reasons would be irrational nonsense, but that takes the biscuit. The modern gtard is as pathetic as the normalfags they look down on. This is the FOSS equivalent of the Apple user's cuck philosophy. Absolute slave morality.

There's nothing wrong with javascript. Yes 99% of it is shit, but then 99% of everything is shit. Can you seriously not think of even one cool, useful, or powerful thing you could write in javascript?
If you don't care about the content on those corporate tracker stuffed sites then you don't have a problem.
If you don't care about Silicon valley startup webshits then again, you don't have any problems.
However, if you actually do care about that corporate content then that's sour grapes. That's the real reason behind gtards eternal anti-JS butthurt.

Anyway I forgot Tor onion services v3. Public key addressing, and a cultural (but not an artificial technical) moratorium on Javascript. Self-hosting is easy. Private and secure. Uses existing HTML tooling. Fucking S tier

Gemmi is shit for yet another reason. It throws out all the good parts of the web, but keeps THE WORST PART. The one weakness that should be got rid of at literally any cost. The ICANN domain name space, along with registrars, payment processors, and KYC policies. Hey if you're going to fuck up, you might as well 100% it.
>>

 No.10567

making a js-disabled browser, which TOR browser is by default i think, would solve most of the same problems as gemini
>>

 No.10568

>>10565
>Can you seriously not think of even one cool, useful, or powerful thing you could write in javascript?
I can, but nobody who is aware of the long history of half-baked JS tools and implementations would even bother to ask why people even have a problem with JS.
Either way, JS is working fine for its target audience, so idk what your issue even is with people who want to avoid it.
>The one weakness that should be got rid of at literally any cost. The ICANN domain name space
Which is orthogonal to the gemini (or HTTP) protocol. You can come up with another naming protocol to name and find computers over the network and gemini or HTTP will work just the same over it.
>>

 No.10569

Is it safe to enable JS while using leftypol.org?
>>

 No.10570

>>10568
>You can come up with another naming protocol to name and find computers over the network
I think that already exists like OpenNIC
>>

 No.10571

>WHAT IS /TECH/'S OPINION ON JAVASCRIPT?
i get paid to make webapps with it
>>

 No.10572

>>10571
When the revolution comes you'll be the first in gnulag.
>>

 No.10573

>>10554
>internet protocol is reactionary
Not an argument. Stop shopping at the ideological supermarket.

t. NTA
>>

 No.10612

>>10565
The only good thing about everything relying on JS is JSON data as a byproduct so you don't need to parse HTML. Makes web scraping much more fun lol
>>

 No.10613

>>10567
Not by default. Tor Browser delegates JS-blocking to the NoScript add-on, but that stays behind the scenes for the average user who is simply given a choice to switch between three different security levels, the highest one completely blocking JS among other things. By default however JS is enabled, but it still restricted to prevent some fingerprinting vectors.
>>

 No.10614

NoScript is fucking great. You can whitelist (permanently or temporarily) individual sources and elements to only use the part of a site you want.
>>

 No.10617

>>10614
Wait until you try umatrix https://github.com/gorhill/uMatrix/
It gives you even more fine grained control, e.g. blocking cookies while allowing scripts. You can also add global rules to block some resource by default.
>>

 No.10619

>>

 No.10622

>>10548
Eh, javascript for naviagtion and stuff is fine. I use it myself for my web projects and it does it work. The ecosystem though? It's horrid. I don't want these thousand packages installed to do basic shit. Why can't I just import scripts from the head tag?

Still, using base javascript is fine.
>>

 No.10623

>>10622
>javascript for naviagtion and stuff is fine
If it relies on it for navigation then that's utterly fucked. If you mean dynamic navigation menus or whatever then that's really fucking annoying. I accidentally hover a mouse over a div now the whole content is blocked by the big ass drop down and I have to go pixel hunting to get it out of my face because it covers nearly the whole viewport and/or the script is buggy/unresponsive.

This page is an example of good use of JS: it's used to merely append new posts to the thread so the user doesn't have to keep refreshing it (whcich would be more annoying), but everything works and looks the same without JS. It solves an actual problem instead of chasing aesthetic trends.
>>

 No.10644

>>10623
Oh no, that is bad. But If I serve a page of text that's long but splitting it into multiple pages would be too annoying I simply put divs around the various parts and make a panel above without any pop ups to hide and show the certain divs. I think it's an ethical use of javascript. It might annoy some people who browse without javascript, but seeing I don't use any frameworks and all of my javascript code could be read and understood under 15 minutes I don't think they have reasons to complain.
>>

 No.10645

https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode is a nice middle ground; block 3rd party scripts by default but allow 1st party. Prevents most tracking and bloat with less breakage than noscript. Of course it isn't foolproof since some sites proxy everything through their domain, and a lot of sites will break if they require JS from 3rd party CDNs.
>>

 No.10647

'safer' setting on tor browser works great. JS on the domain you're visiting is enabled, other domains disabled. JIT disabled. Completely disabling JS is a crapshoot and probably unnecessary. Every time a vulnerability is exploited, it risks the vulnerability being noticed and patched. The glowies will save it for times it really matters.
>>

 No.10662

>>10647
True, but doesn't place nice with Invidious since Invidious still loads media files directly from youtube's servers which use so many different domains that you have to bypass noscript multiple times just for one video.

But using tor+youtube_dl+mpv is better anyway, faster transfer rate (run youtube_dl with "-f worst") and you can maximize the window without worrying about fingerprinting.

If anyone's considering using this, here's a shell function:
youtube() {
youtube-dl –proxy "socks5://127.0.0.1:9050" -f worst "$@" -o - | mpv -
}

Usage: youtube URL
Note that "socks5" is interpreted by youtube_dl as "socks5h" so DNS requests actually do go over Tor, they're not leaked.
>>

 No.10663

>>10662
>doesn't place nice with Invidious
In umatrix you can whitelist the googlevideo.com prefix, to unblock media files from youtube.
>–proxy
Youtube-dl also works with torsocks, so I would recommend invoking 'torsocks -i'.
>>

 No.10665

>>10662
incognet's invidious actually does play nice with 'safer,' you only have to enable the content domain once
http://tuberyps2pn6dor6h47brof3w2asmauahhk4ei42krugybzzzo55klad.onion/
>using tor+youtube_dl+mpv is better anyway
nice, yeah i do this in whonix sometimes without any function
>>10663
tor browser doesn't use umatrix
>>

 No.10687

>>10665
>You should not install any additional add-ons on Tor Browser because that can compromise some of its privacy features.
https://support.torproject.org/glossary/add-on-extension-or-plugin/
>>

 No.10688

>>10548
the only legitimate use of javascript i know of is twine games. (i.e. empowering the technically unskilled) so far as i am concerned, everything else should be outlawed. if you can parse CSS with your eyes, you don't need to suck up memory with your shit javascript tracking. do the website properly.
(there is no empirical data to back it up, but i guarantee that in aggregate people who make twine games probably make better websites than people who don't. purely because they fall into the kind of demographic that makes a cute neocities full of glitter rather than being a professional web designer who manages to make a site that serves 500 words waste 15 megabytes.)

i could develop on this and a general distaste for bloat and so on, but really my position isn't so much a technical one as a social one: i say knock down a core pillar of the web as it stands today and just see what happens because the consequences couldn't possibly be worse than what we have now. this is of course a fantasy: you cannot send an army to destroy javascript. i have to confess this to myself, rather than proposing this or that protocol. all that can be achieved is screaming at the wind about how much i hate the modern web and then tithing my conscience by leaving positive feedback on obscure, marginally interactive short stories.
>>

 No.10693

>>10687
yeah, I believe you can be fingerprinted for your browser extensions so all TB users should have the exact same setup, the defaults. I think this would also apply to the security slider settings and so I wish the default option was 'safer.' Web just too unusable to default to 'safest.'
>>

 No.10694

>>10551
>the problem with bespoke protocols like gemini is that they're less accessible than HTML since everyones already got an HTML browser, second of all gemini doesn't support forms AFAIK so no post operations which means no chat rooms, forums, social media, hell, not even images.
That's sounds like a dream
>>

 No.10695

>>10548
JS is needed for a lot things. Most things are insanely bloated.

Eg nitter vs twitter
Reddit vs teddit

Bloated shit these companies shit out many times works much worse and adds no value.

Server side rendering is meh. I don't like it. I realize it's the only way to accomplish certain things without JS, but still.
>>

 No.10704

>>10693
No script can retrieve a list of active browser extensions, so this depends on the particular addon.

<Question

>Isn't it a fact that every browser extension (f.i. an adblocker like Adblock Plus) makes your fingerprint (more) unique?
<Answer
>It isn’t quite that simple. Adblock Plus has been developed in such a way that it cannot be detected directly. This means in particular: no web_accessible_resources in the extension manifest. And even if web_accessible_resources were used, it only makes the extension only detectable in Chromium-based browsers, not Firefox.
>So websites can only detect Adblock Plus by its effects, meaning blocked requests. That’s more complicated and more error prone. And it also means that websites cannot determine which one of the many ad blockers you use. With ad blocker users ranging in hundreds of millions, this is hardly worth it.
>
>But – sure, many browser extensions make themselves detectable for no good reason. And that could add to your fingerprint.
https://palant.info/2020/12/10/how-anti-fingerprinting-extensions-tend-to-make-fingerprinting-easier/
>>

 No.10708

>>10695
Teddit is much more usable than Reddit, but Nitter is kinda annoying with how few tweets it shows on a single page and navigation is also not much better. It's actually more like the new Reddit. Not that Twitter isn't insanely bloated and annoying to navigate, but for just looking at replies it's easier to use than Nitter currently.

Agree with the rest though.
>>

 No.10709

>>10704
>So websites can only detect Adblock Plus by its effects, meaning blocked requests.
Not impossible, then also add your filter configuration, and you can stand out more. Websites don't have to guess which addon you're using, they just have to observe your blocking pattern to single you out in combination with other fingerprint data.

So if you do use an adblocker, use the most popular one and don't change the configuration, be as normie as possible.
>>

 No.10729

>>10704
I was talking about tor browser which does not include adblocking in stock, so tor and adblocking would stand out even more than either one alone. It's apparently in TAILS so I don't know why they don't add it to tbb
>>

 No.10730

>>10729
I don't think the added attack surface you get from allowing all js is worth the risk of fingerprinting.
>>10709
The article also mentioned fingerprinting by blocking scripts is to be an edge case. Why should the site have tracking functionality included, when it needs to load that from a tracking provider? Wouldn't the information from individual sites need to be forwarded to the tracking provider through some esoteric CGI (which is unfeasible performancewise)?
>>

 No.10731

>>10729
>I don't know why they don't add it to tbb
One of their primary goals is to get "everybody" on board with the project, no matter what their interests are, this is good for the technical functioning of Tor network and for the anonymity of each user (the bigger the crowd the better). Thus their policy is to remain or at least appear as neutral as possible, where possible.

Adblocking bundled with the browser would mean that the browser itself and not merely the user is antagonistic to various interests that make money from ads and trackers (websites themselves, ad networks, data brokers…). Just one concrete consequence of this is more websites would then block Tor users in return (there are other more complex things as well), but the project in general would be antagonistic to capital's interests, thus potentially losing some of its support, both financial and in terms of technical "tolerance" (cf. the war between Tor and Cloudflare).

It's not just direct personal interests though, there are people who believe in the whole small business owner ideology and think that blocking ads is unfair to these small entrepreneurs who make a living from ads on their websites or youtube channels. (And I'm sure there are burgers out there who think adblockers are communism.) From the statements I've read I get a sense that Tor project is really careful not to alienate any potential users, they want to remain "apolitical" (they're libs, so what do you expect).

However, they are (were) considering adblocking, this statement is from 2 years ago:
>Just for the record, one idea we discussed in our recent Tor meeting would be to introduce an adblocker that is off by default. Then a single toggle switch would be available to activate the adblocker globally. This would result in splitting the anonymity set in two (one bit of fingerprinting, on average).
>Also regarding fingerprinting: I think we would want also to minimize the available controls to users to make sure that they can't (easily) add or remove blocklists or apply other global custom settings that will make them fingerprintable. I do think it would be acceptable to include an "allow ads on this site" button if the unblocking mechanism is first-party-isolated.
There's been no news since then, so it's likely very low priority or maybe the idea was dropped.
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/17569
>>

 No.10732

>>10731 (me)
Forgot to cite Tor project on ads:
>As a general matter, we are also generally opposed to shipping an always-on Ad blocker with Tor Browser. We feel that this would damage our credibility in terms of demonstrating that we are providing privacy through a sound design alone, as well as damage the acceptance of Tor users by sites that support themselves through advertising revenue.
https://2019.www.torproject.org/projects/torbrowser/design/#philosophy
>>

 No.10733

>>10730
>Why should the site have tracking functionality included, when it needs to load that from a tracking provider?
Consider a "4th-party" or "meta" tracker specialized in fingerprinting users through their adblocking filters. Yes, eventually this tracker would also be end up in blocking filters, but that's how it is, cat and mouse game.
>>

 No.10734

>>10733
That was a technical question. How could the site access tracking infrastructure, when it would need to hardcode it into every page and could not forward the data to the tracking provider over js/ajax.
>>

 No.10735

>>10734
The example I gave is of a not-yet-blocked provider, a new kid on the block, but yes, they technically could also hardcode it into every page, although why not just make the 1st party host the script file? The script just needs to send the raw data back to the website itself (so 1st party request), then their backend forwards the data to the provider to be analyzed. It's not that hard technically, the website just installs a server module that does all this automatically.

Maybe you're thinking why does this matter when filters will catch up sooner or later (although remember that the fingerprinting threat comes from users using different filters). It matters in the case of Tor browser due to how it defeats fingerprinting: it doesn't block trackers, it gives them fake data that is uniform for all Tor users or otherwise ensures uniform conditions (e.g. window size), so that everybody looks like the same person. But when you block a specific selection of those trackers instead, you introduce new bits of fingerprint data with that selection.

It's two different methods that right now kinda step on each other's toes in practice, and one (block filters) is always catching up with the million trackers out there, while the other (Tor browser) just has to keep the browser's mouth shut / feed the lines to it in a uniform and consistent way.

That doesn't mean they can't work well together. For example, there's things that Tor devs haven't discovered how to spoof yet without fundamentally breaking things. One such example is the scroll bar width, it can be calculated via window and viewport size difference. For such cases blocking trackers would be useful, but the only proper solution is for Tor browser to be bundled with adblocker by default without user being able to switch it off or change filter lists, so that uniformity is enforced. Unfortunately that doesn't look likely:
>>10731
>>10732
>>

 No.10737

>>10731
>Adblocking bundled with the browser would mean that the browser itself and not merely the user is antagonistic to various interests that make money from ads and trackers (websites themselves, ad networks, data brokers…). Just one concrete consequence of this is more websites would then block Tor users in return (there are other more complex things as well), but the project in general would be antagonistic to capital's interests, thus potentially losing some of its support, both financial and in terms of technical "tolerance" (cf. the war between Tor and Cloudflare).
Great point.
>>10730
>I don't think the added attack surface you get from allowing all js is worth the risk of fingerprinting.

Browse in Whonix then. A tor dev (Matt Traudt) says this about JS exploits:
<setting the security slider to its highest setting:
>This is unnecessary for the majority of adversary models and will make the web significantly less usable.

>The only people who have had significant JavaScript exploits used against them in Tor Browser were pedophiles using Windows. This suggests to me (and security experts in general, AKA not people that read "tech news" and parrot everything they read) that these exploits are rare, expensive, and hard to replace. Thus they aren't going to be used against random people because the risk of the exploit being discovered and fixed is too great.


>Setting the security slider to its highest setting does remove JavaScript as a possible attack vector. So as long as you set it there consciously, are aware much of the web may break, I support your choice to disable it. I especially support it if you have legitimate concerns that JavaScript exploits may be used against you, not just dumb paranoia.

http://tv54samlti22655ohq3oaswm64cwf7ulp6wzkjcvdla2hagqcu7uokid.onion/posts/about-to-use-SkxEFK1m/#index2h1

I use 'safer' in whonix but if 90% of tor users used 'standard' (which I think is unlikely?) then I would switch to that
>>

 No.10744

>>10737
Whonix is really the ultimate solution if you still want to use a normal OS instead of Tails or Qubes. And if you still want to run Tor browser natively on host OS then there's firejail which runs the browser in a sandbox.

>I use 'safer' in whonix but if 90% of tor users used 'standard' (which I think is unlikely?) then I would switch to that

Idk, I think a huge majority of users are allergic to sacrificing any usability, so it might be close to 90%. But a lot of them also do stupid shit that makes them less uniform. When letterboxing was introduced you had a mass of people complaining on Tor's blog about "grey borders", meaning they were all resizing and maximizing their windows prior to that. It really showed how uniformity is really poorly maintained by users in practice, which fucks it up for everybody.

Btw, on fingerprint tests I get best results at "safest" security level, while "standard" and "safer" come out exactly the same. Although I doubt these tests are that good. EFF's one claims to test with real trackers yet I get same results even with or without uBlock Origin with all filter lists enabled.

Should be mentioned though that security levels are not meant to defeat fingerprinting but reduce browser's security vulnerabilities.

Unique IPs: 18

[Return][Go to top] [Catalog] | [Home][Post a Reply]
Delete Post [ ]
[ overboard / sfw / alt / cytube] [ leftypol / b / WRK / hobby / tech / edu / ga / ent / 777 / posad / i / a / R9K / dead ] [ meta ]