Revision of Introducing SomeScript from May 27, 2009
SomeScript is a simple JavaScript whitelist add-on for Firefox. You can read all about it on the GitHub site, or install the very very very early version from the downloads page.
SomeScript is just YesScript backwards: instead of allowing JavaScript and blocking it on selected sites, it denies JavaScript by default and only allows it on selected sites.
The question on everyone's lips: why?
There was a big AdBlock Plus/NoScript/EasyList incident that had NoScript quietly alter AdBlock Plus operation without the user's consent, and then later revoke it. Some people galvanised around NoScript, saying that the actions were justified due to EasyList's overly aggressive blocking of the ads on the NoScript site, causing the site to break. Many others were understandably upset that was running obfuscated code to change another add-on's behaviour without their consent. I was upset.
After having NoScript's code run without my consent, I wasn't ever going to run it again, and I imagine others felt the same. But after all that, we really only had two options:
- Uninstall NoScript, give up JavaScript blocking.
- Grudgingly stay with NoScript, since there are no alternatives for JavaScript whitelisting.
I wasn't happy with either of these options. I wanted JavaScript whitelisting, but I didn't want to run NoScript after what happened.
There was a lot of discussion about the incident, but one reply from the AdBlock Plus author's blog really stood out:
Reply from Wladimir Palant:
I agree with the last paragraph, I would like to see at least an extension implementing “NoScript’s core functionality”. The problem is that NoScript’s core functionality is not what NoScript is doing – instead NoScript is a huge conglomerate of various hacks, most of which users don’t know about (and don’t even want to have).
"NoScript's core functionality" being JavaScript blocking on a per-site basis.
And so, SomeScript was born. It blocks JavaScript on a site by default, and you can click the black script icon to enable it. Reload the page and you're done. It's the JavaScript blocking part of NoScript, without installing NoScript.
This whole incident has highlighted that there's no alternative to JavaScript blocking other than NoScript.
Until now. :)
Like YesScript, it's GPLv2, the source is available for all to see. I don't take ad bribery, so SomeScript will always be free. And since the source is so simple, if you ever doubt my integrity, you can read the code yourself; I'll always keep it clear and easy to read (unlike NoScript's code, which is a scary hive of hacks that will stagnate the moment Giorgio Maone gets hit by a bus).
Most of all, unlike NoScript, SomeScript only gives you options for things you understand. SomeScript only enables/disables JavaScript. Security should be based on knowledge, not fear. You can't protect yourself against cross-site scripting if you don't know what it is. You can't guard against SQL injection when designing a site if you don't know what that is. You can't block or allow JavaScript from a site unless you can read and understand the source before you run it. If you want or need JavaScript on a site, enable it. If you don't, leave it blocked. That's all there is to SomeScript.
SomeScript still needs translations for the languages YesScript has. I had to drop the existing ones because if I didn't, they'd say the exact opposite of what they meant, which would be confusing as all hell.
I'd also like to get NoScript's base-level domain whitelisting, if it isn't more trouble than it's worth.
Recent Comments
Tags
Monthly archive
- July 2008 (25)
- August 2008 (3)
- September 2008 (5)
- October 2008 (2)
- November 2008 (2)
- January 2009 (5)
- February 2009 (9)
- March 2009 (5)
- May 2009 (7)
- June 2009 (1)
Links
User login
