That's so crazy it might just work. I checked an article about copyright protection for short phrases[0] and learnt that a court ruled that the text “I may not be totally perfect, but parts of me are excellent” is protected by copyright. It would thus be possible for the author of that phrase to register:
and sue anyone who links to them. Hopefully the author will be so grateful for this insight that they won't sue me for reproducing their copyrighted work in this comment.
From one of my previous comments in another thread (this past week, probably):
> IANAL
> What I think they mean by this is that you shouldn't link to resources on their website to make it seem like they endorse your (product, website, whatever).
How can someone spoof the page/inject ads if the site is served over https?
They would need to have compromised one of the root certificates on your machine to not give you a giant security warning.
In modern browsers there’s not even a button to bypass them (although I know I chrome you can type “this is unsafe” to a hidden input in the error page and it will let you bypass it temporarily).
I prefer making all my sites work just as well without JavaScript as with it. This is cool though if you need a quick check to see if JavaScript is enabled.
I've also been tinkering more with no framework js, although it's by way of typescript and webpack. And it's really fun, I think there are a lot of cases where you can just opt out of react or bootstrap if you know what you're doing
noscript is sadly, not perfect, but works if you stay 1st party.
A great way to make your browsing better is to disable 3rd party scripts by default and whitelist when needed, but <noscript> fails to work in those conditions.
You're thinking about Noscript the plugin. <noscript> is also an HTML tag that can contain content for use when the browser isn't running JS, but which would yield a cleaner page if not present when JS is running.
if you disable 3rd party javascript, (using ublock origin or others) noscript tags don't trigger because scripting is still technically turned on and noscript tags aren't assigned to the script they compliment so the browser has no way of knowing which ones to run or not run in the 3rd party situation.
In which occasion a software ootb like a browser won’t have JavaScript enabled? I’m genuinely curious, the only time I saw something like this was using the distro Kali having no script in Firefox.
I sometimes read HN in a text web-browser, but ultimately most people will have JavaScript enabled.
It's worth saying that most people don't even know what Javascript is, full stop. Weirdly enough my now mother does, but my younger sister doesn't - we now have a generation that has effectively grown-up post-smartphone, which is fascinating to me.
I use Purify ad blocker only for its JavaScript blocking option. I can re-enable JavaScript on a per-site basis by going through “Purify Actions” from Safari’s Share Sheet.
I combine this with another ad blocker (Wipr) to block everything else.
If someone knows how to achieve the same on Linux for Chrome and Firefox, I'd love to hear it (browser plugins are a bit of a security and stability shitshow, so non-plugin solution would be preferred, all else being equal).
From a security stand point you should at least have uBlock Origin installed for Chrome and Firefox. It can block JavaScript easily. I would trust NoScript as well which provides fine grain control over scripts. I get not wanting any extensions, but blocking scripts will unfortunately never be viable in a user base that doesn’t know what a “script” is...
Mozilla removed the normal settings toggle a while back, so your options are to manually set javascript.enabled in about:config or use an extension. I agree in general that extensions aren't great, but I trust uBlock.
I think Chrome actually is fine although I don't know of a keybinding for it: Don't they still have a toggle right in the site menu (click the icon to the left of the URL to toggle all kinds of these things)?
In Vivaldi (which I'm 99% certain matches chrome for this part) you click the icon to the left of the URL and then click "Site Settings" at the bottom of the resulting menu where you can toggle a slew of permissions, including javascript.
It's about the best UI I could come up with for this particular knob and the other things adjacent to it.
You can still disable JavaScript via the developer tools. Although it is this session only and auto-reload, so you must tick that checkbox every time you navigate to a new link.
Ugh, sorry, I misread that. The workaround I would recommend on iOS is just turn javascript off in Safari and install another (Safari-skin) browser like Chrome for the times when you need javascript -- or vice versa, depending on what your default preference is.
So running untrusted code on your computer is a bad thing. Well, it should be in a sandbox, but that has many intentional and proably some less intentional holes to do stuff on your machine.
So how do I trace what Javascript is doing on my machine?
Generally mitmproxy gives a feeling what sites the browser talks too. And strace gives often a good feeling what a Linux binary does. But the browser is too big and complicated to read strace output in most cases.
Can anybody recommend a tool to look what Javascript code loaded by a certain page is doing?
>Can anybody recommend a tool to look what Javascript code loaded by a certain page is doing?
Almost all modern browsers have debug panels that will list all of the requests made by a page, assets cached, cookies and local db, and of course it's trivial to just view the source of a site and read the javascript if it isn't compressed.
Yes, I am aware of dev tools. I use them to look at network requests or to "steal" my own credentials for curl usage.
Haven't really used the Javascript debugger, but my guess would be completely infeasible to follow everything a random "modern" Web site might do. And as you say some Javascript might be compressed or obfuscated. What I really would want is a somewhat higher level / more filtered approach: Like strace lets me just trace file operations for example.
I'm not sure if it always works on all APIs or browsers, but you can wrap and replace DOM API objects with logging proxies.
Additionally, you can set breakpoints on event handlers and Chromium has deobfuscation built in. You can usually tell approximately what's going on by stepping through the code and watching the variables in local scope.
> Can anybody recommend a tool to look what Javascript code loaded by a certain page is doing?
Open your browser's developer tools, go to the Script/Debugger tab and have at it. It's just about as obtuse to use as a tool as gdb, but you'll see exactly what it does. Chrome dev tools has automatic formatting of the code, maybe firefox too. But you'll be stuck with shitty variable names if they been mangled. Although you could try http://www.jsnice.org/, I had variable luck with using it.
It would be interesting to have a browser tool that is like strace and you could filter by calls, so you can see exactly where window.navigator is being used for example, or localStorage.setItem. For now best you can do is searching for "navigator" which works, but can be minified/hidden away by coder as well.
> It would be interesting to have a browser tool that is like strace and you could filter by calls, so you can see exactly where window.navigator is being used for example, or localStorage.setItem.
Because JavaScript is dynamic, you can often rebind things like window.fetch to trace what’s going on (store the old copy and replace with a new one that does something before delegating). If you can arrange your shim to be loaded before any other JS, I guess you could implement something like object capabilities for JavaScript?
It's not a part of the standard. What you're asking for is a "js vm proxy" of some sort that would mitm all interactions between js and the host. An ad company would never let this happen as that would reveal the fingerprinting techniques and empower adblockers.
In my view, micrototalitarian actions like this are every bit as bad as the ills they seek to cure. Insisting on infringing the liberty of others, before even so much as talking to another person is the very core of what ails our society in this time.
You don’t have a right to browse someone else’s content.
Calling out your histrionics for what they are is not ad hominem. I’m attacking your statement, not your person.
Further, that’s not some sort of axiomatic law, that’s just a phrase. Even if it was, losers using ad hominem doesn’t mean winners don’t, that’s not how logic works.
He may have insulted you, but not all insults constitute logical fallacies.
Ad hominem: You're wrong because you're an idiot.
Just an insult: You're an idiot because you're wrong.
Furthermore, concluding that somebody is wrong because they used a logical fallacy is itself a logical fallacy. If I said "2+2=4 because you're an idiot" my reasoning would be fallacious, but to conclude that the answer must therefore not be four is also fallacious.
micrototalitarian, adjective: relating to a system of government that is a tiny bit centralized and dictatorial and requires a microscopic degree of subservience to the state.
I disabled it with 4 taps in uBlock Origin, Firefox Android. Open menu, Add-ons, uBlock Origin, the JavaScript icon. Then another tap to reload the page, the back button and the site did show.
The reason you see a blank page is because the website wraps content into a <noscript> tag and by "disabling javascript" it wants you to render <noscript> content, not actually disable javascript. But it's a bad idea in practice. Most websites work better out of the box if you disable javascript, but not render <noscript>, and also disable CSS, and inject some custom style to fix size of embedded icons. I'm not sure if there is a public extension that does that though.
I really don't think that's true. For one thing, anything beyond static content sites are just not going to work. And even content sites could well be unusable without their layout CSS. I really don't see the point in subjecting oneself to such hassle.
I would suggest that most websites work better if you have javascript and CSS enabled, since that's what they were designed for, but use an ad blocker like uBlock matrix to remove the ads.
There are also ways to track you on the front end without JS but I think "This website will not… track you" is just a promise from the not something that followed from the lack of JS anyways.
It could also be a canary in case the site gets bought out, and the new owner wants to implement invasive tracking. If a site has "will not track you" when you visit it, but the next visit it is removed...
Ye olde days of tracking just used invisible .gifs and every click was a different webpage so they just tracked which ones were requested to gain interaction metrics.
JS doesn't have any magic to it, location information is opt-in, but your IP is a much better advertising identifier.
IP behind NAT or CGNAT is not that useful, but many mobile browsers (especially cheap Androids) leak so many trackable details through headers that makes easier to uniquely identify devices/users
back in the '90s I was into connecting to IRC servers using spoofed IP addresses. The way it worked is you told the software what OS you were connecting to (or it would figure it out itself, I can't recall). Each OS had a unique way of generating TCP sequence numbers, which allowed the software to guess which number would come next.
Nowadays OSes have protection for this sort of thing. But I'd imagine you could still fingerprint an OS like that. Combine that with TLS, HTTP, etc. specifics and you could narrow it down quite a bit I bet.
How are you going from guessing TCP sequences to spoofing IP addresses on TCP connections? Did you breeze over a step or am I missing something obvious?
TCP packets contain sequence numbers that must correspond to the ones sent by the other side. This is an issue if you're spoofing packets because you don't receive packets (containing the sequence numbers) from the other side (they will go to the spoofed address, rather than yours). Without the other side's sequence numbers, your replies will be considered invalid, which means you can't complete the handshake[1] to establish a connection. However, if you can successfully guess the sequence numbers, you can complete the handshake and also write arbitrary data to the stream. You still won't be able to receive data, but for simple protocols like irc, it can still be useful eg. connecting to a server and then sending spam to an user/channel.
The mitigations for spoofing sequence numbers might be different for each OS, and that would allow the OS to be fingerprinted. See nmap's OS fingerprinting, for example.
> most people don't run their own resolvers, so at best you're fingerprinting DNS server of the ISP.
That’s not how it’s tracked commonly. Similar to HTTP caches, you can fingerprint visitors by how quickly a domain request resolves for them. Sure, all of this can be mitigated. But you have to even know what to mitigate. And given the most fanatical privacy folks aren’t aware of basic timing fingerprints is a good indicator that no one is mitigating it nearly as well as they might think.
If js were removed from the web tomorrow, the people currently working on tracking protection against js could instead focus on these other mechanisms. Because privacy is an arms race, reducing attack surface is not pointless even if the same tracking can be achieved by other means.
I don’t think JS (or some other runtime) could plausibly be removed from the web on any time scale. People have a (reasonable) expectation that they can do app-like things on a network, and that surface area will find its way to manifest one way or another. At least having it on the web has somewhat of a limiting effect on the entrenchment of the biggest (and worst) privacy offenders, because the barrier to entry is lower than building a wide array of native apps.
It logs requests to the site, which is far less invasive than the fine detail of browser fingerprinting and tracking that JS allows: JS can see your mouse pointer's position, how long you spent on each area of the page, which parts of the text you selected, and many many other things.
You can implement similar mouse recording via requests for :hover psuedoelements in CSS. Also, I’m not sure you need JS to get fine fingerprinting and tracking in 2020— https://wiki.mozilla.org/Fingerprinting
There are many companies with similar products: Inspectlet, Lucky Orange, probably more. This is a cat that will be quite difficult to put back in the bag.
Legitimate tools for measuring effectiveness of pages with little in the way of nefarious tracking afaics. Also very useful for replaying user errors/problems.
Any guesses as to why the source code look the way it does? I was expecting a traditional website inside the noscript tags, but instead I found an obfuscated soup letter between them.
Brave browser has a fairly simple process as well. It requires two clicks. Click on the shield on the top right, then click on the "Scripts Blocked" toggle button.
There's also a Firefox extension called "Disable JavaScript" that places a JavaScript toggle switch on your address bar and remembers whether you want JavaScript on or off on each specific site that you visit.
As someone who has JS off by default for a long time (ever since I discovered how much it could remove annoyances, and this was back when SPAs were basically nonexistent) and is thus often subjected to "Please enable JS" messages which more likely than not will simply make me click the back button[1], I am delighted to see this exists --- I've thought of the idea before, but never did anything with it:
[1] I once enabled JS on a site that claimed it would provide "a better experience", and was bombarded with a bunch of ads and other irritations that just made me turn it off again. It was not a "better experience".
I think it depends on how you disable it. Anecdotally, I think it’s “if no scripts are executed on the page, render <noscript> content, but if any scripts at all are executed, don’t”.
Does uMatrix still exist (maintained)? I remember reading it is being discontinued.
(I occasionally used it for curiosity, but found it too tedious in the long term. I have settled on CookieAutoDelete, which seem to address most tracking. Not many seem to run a completely server based fingerprint database.)
It is not maintained but the latest version[1] still works fine, and I will continue to run it until that is no longer the case.
[1] A beta that you can download from the github page. I assume the latest stable version also works fine, but the beta had a few additional bugfixes and features and I haven't encountered any instability.
I forget about the back button. By default, I always open links in new tabs which means back button has no data. Also, SPAs have hijacked the back button or just broken it completely, so I've been trained to not count on it behaving as expected. There's also mobile experience where getting to the back button itself is often painful after the UI hides navigation from you.
Otherwise, I am 100% in agreement. If a page is so user hostile to not making a friendly non-JS page, the tab gets closed
> By default, I always open links in new tabs which means back button has no data.
I really wish, even if it was an optional setting, browsers would copy the past history of the source tab when you did that. If it hit back in a tab I opened that way, I still want “where I got here from” not “stay here” or “new tab page" or especially “close the tab” (thanks a lot Android Chrome).
Safari does this, at least on iOS. If you open a new tab, then hit back, it just closes the tab and takes you back to the origin tab. If you’ve closed the origin tab, it leaves the active tab open but goes back to what the origin tab was.
How nice! I hope others support this trend so that the web is clearly split into two: (1) the traditional one, document-based, and (2) applications. Both are very useful, but (2) comes at a price not everybody wants to pay.
I expected this to be implemented with something like document.body.textContent = "Please disable JavaScript to view this site" on page load. Which would be enough to work. It's actually exactly it, but with the extra precaution of wrapping the entire page inside a noscript tag. Hilarious. I guess it's useful to avoid having a chance to see the content during a flash, before the script executes.
A good contrast with web pages which are not apps telling you "This app requires Javascript to run".
280 comments
[ 4.7 ms ] story [ 283 ms ] threadIn other news, possibly the best designed website of 2020: http://www.muskfoundation.org/
What? :)
i-may-not-be-totally-perfect-but-parts-of-me-are-excellent.com
and sue anyone who links to them. Hopefully the author will be so grateful for this insight that they won't sue me for reproducing their copyrighted work in this comment.
[0] https://fairuse.stanford.edu/2003/09/09/copyright_protection...
> IANAL
> What I think they mean by this is that you shouldn't link to resources on their website to make it seem like they endorse your (product, website, whatever).
https://news.ycombinator.com/item?id=25153873
https://www.berkshirehathaway.com/subs/sublinks.html
> FOR A FREE CAR INSURANCE RATE QUOTE THAT COULD SAVE YOU SUBSTANTIAL MONEY WWW.GEICO.COM OR CALL 1-888-395-6349, 24 HOURS A DAY
...on the homepage of a quarter-trillion dollar company, with no other ads.
They would need to have compromised one of the root certificates on your machine to not give you a giant security warning.
In modern browsers there’s not even a button to bypass them (although I know I chrome you can type “this is unsafe” to a hidden input in the error page and it will let you bypass it temporarily).
First, go to "Site settings" and disable it globally.
To make a site-wide exception, click on the icon in the address bar and enable it for the site there.
It used to be crippled and unusable, but they fixed it recently.
I also recommend Bromite on Android.
The other rule is that the JS is all hand-written. No frameworks or other dependencies.
A great way to make your browsing better is to disable 3rd party scripts by default and whitelist when needed, but <noscript> fails to work in those conditions.
if you disable 3rd party javascript, (using ublock origin or others) noscript tags don't trigger because scripting is still technically turned on and noscript tags aren't assigned to the script they compliment so the browser has no way of knowing which ones to run or not run in the 3rd party situation.
It's worth saying that most people don't even know what Javascript is, full stop. Weirdly enough my now mother does, but my younger sister doesn't - we now have a generation that has effectively grown-up post-smartphone, which is fascinating to me.
links
w3m
that's just off the top of my head.
I combine this with another ad blocker (Wipr) to block everything else.
https://support.apple.com/en-gb/guide/mac-help/mchlp2271/mac
If someone knows how to achieve the same on Linux for Chrome and Firefox, I'd love to hear it (browser plugins are a bit of a security and stability shitshow, so non-plugin solution would be preferred, all else being equal).
I think Chrome actually is fine although I don't know of a keybinding for it: Don't they still have a toggle right in the site menu (click the icon to the left of the URL to toggle all kinds of these things)?
It's about the best UI I could come up with for this particular knob and the other things adjacent to it.
And it's mostly a big ActiveX control.
https://webapp.walgreens.com/SupplierNet/login.htm
So how do I trace what Javascript is doing on my machine?
Generally mitmproxy gives a feeling what sites the browser talks too. And strace gives often a good feeling what a Linux binary does. But the browser is too big and complicated to read strace output in most cases.
Can anybody recommend a tool to look what Javascript code loaded by a certain page is doing?
Almost all modern browsers have debug panels that will list all of the requests made by a page, assets cached, cookies and local db, and of course it's trivial to just view the source of a site and read the javascript if it isn't compressed.
Haven't really used the Javascript debugger, but my guess would be completely infeasible to follow everything a random "modern" Web site might do. And as you say some Javascript might be compressed or obfuscated. What I really would want is a somewhat higher level / more filtered approach: Like strace lets me just trace file operations for example.
Additionally, you can set breakpoints on event handlers and Chromium has deobfuscation built in. You can usually tell approximately what's going on by stepping through the code and watching the variables in local scope.
Right, so you are describing the implementation of the tool I was looking for. Obviously I don't want to do that manually while tracing a page.
Open your browser's developer tools, go to the Script/Debugger tab and have at it. It's just about as obtuse to use as a tool as gdb, but you'll see exactly what it does. Chrome dev tools has automatic formatting of the code, maybe firefox too. But you'll be stuck with shitty variable names if they been mangled. Although you could try http://www.jsnice.org/, I had variable luck with using it.
It would be interesting to have a browser tool that is like strace and you could filter by calls, so you can see exactly where window.navigator is being used for example, or localStorage.setItem. For now best you can do is searching for "navigator" which works, but can be minified/hidden away by coder as well.
Exactly, that's what I meant.
Calling out your histrionics for what they are is not ad hominem. I’m attacking your statement, not your person.
Further, that’s not some sort of axiomatic law, that’s just a phrase. Even if it was, losers using ad hominem doesn’t mean winners don’t, that’s not how logic works.
Ad hominem: You're wrong because you're an idiot.
Just an insult: You're an idiot because you're wrong.
Furthermore, concluding that somebody is wrong because they used a logical fallacy is itself a logical fallacy. If I said "2+2=4 because you're an idiot" my reasoning would be fallacious, but to conclude that the answer must therefore not be four is also fallacious.
I would suggest that most websites work better if you have javascript and CSS enabled, since that's what they were designed for, but use an ad blocker like uBlock matrix to remove the ads.
Here[1] is the link to disabling JS for a site in Chromium.
[1] chromium://settings/content/javascript
chrome://settings/content/javascript
JS doesn't have any magic to it, location information is opt-in, but your IP is a much better advertising identifier.
Nowadays OSes have protection for this sort of thing. But I'd imagine you could still fingerprint an OS like that. Combine that with TLS, HTTP, etc. specifics and you could narrow it down quite a bit I bet.
[1] https://en.wikipedia.org/wiki/Transmission_Control_Protocol#...
Canvas fingerprinting, WebGL fingerprinting, GPU, fonts etc etc etc.
Please, stop arguing, JS is a nightmare for privacy. Period
most people don't run their own resolvers, so at best you're fingerprinting DNS server of the ISP.
>http caches
can be easily cleared, or mitigated entirely by extensions or browser (eg. multi account containers).
That’s not how it’s tracked commonly. Similar to HTTP caches, you can fingerprint visitors by how quickly a domain request resolves for them. Sure, all of this can be mitigated. But you have to even know what to mitigate. And given the most fanatical privacy folks aren’t aware of basic timing fingerprints is a good indicator that no one is mitigating it nearly as well as they might think.
Citation needed?
Things like this are seriously creepy: https://www.crazyegg.com/blog/mouse-recorder/
eg: hotjar.com sessioncam.com
Legitimate tools for measuring effectiveness of pages with little in the way of nefarious tracking afaics. Also very useful for replaying user errors/problems.
I have no idea why they made the SVG image inline but the CSS style external, though. That same image is used on every page.
Of course, you’d need to have JavaScript enabled to do that...
Would love to have heard that final talk!
https://news.ycombinator.com/item?id=11411982
[1] I once enabled JS on a site that claimed it would provide "a better experience", and was bombarded with a bunch of ads and other irritations that just made me turn it off again. It was not a "better experience".
(I occasionally used it for curiosity, but found it too tedious in the long term. I have settled on CookieAutoDelete, which seem to address most tracking. Not many seem to run a completely server based fingerprint database.)
[1] A beta that you can download from the github page. I assume the latest stable version also works fine, but the beta had a few additional bugfixes and features and I haven't encountered any instability.
I forget about the back button. By default, I always open links in new tabs which means back button has no data. Also, SPAs have hijacked the back button or just broken it completely, so I've been trained to not count on it behaving as expected. There's also mobile experience where getting to the back button itself is often painful after the UI hides navigation from you.
Otherwise, I am 100% in agreement. If a page is so user hostile to not making a friendly non-JS page, the tab gets closed
I really wish, even if it was an optional setting, browsers would copy the past history of the source tab when you did that. If it hit back in a tab I opened that way, I still want “where I got here from” not “stay here” or “new tab page" or especially “close the tab” (thanks a lot Android Chrome).
A good contrast with web pages which are not apps telling you "This app requires Javascript to run".