The general 'blog' integration

[deleted]

rob006 I'm curious to understand - if you dislike JS so much, why do you want to even use flarum in the first place ?

rob006

[deleted] I never said that I dislike JS. I'm using NoScript for security and privacy reasons.

[deleted]

rob006 right, but you're essentially disabling a significant portion of flarum's capabilities by not permitting JS. It's perfectly acceptable to use JS on websites providing the owner of that site takes security seriously. I assume you're aware that JS is in fact only a minor percentage of security threat in today's world. I'd actually be more concerned around poorly secured ciphers, lack of common standards around encryption, plus various others, such as formulating an attack on the web server directly by using a simple finger request.

I understand the perfect perspective, but preventing JS running will not stop me (I'm a security professional by trade) enumerating other aspects of the site to gain intelligence, then formulate an attack based on that.

jordanjay29

rob006 I find that Privacy Badger works far better than NoScript for blocking insecure scripts. Many cross-server scripts are scraping for information, while most self-served scripts are not, and Privacy Badger does a good job at whitelisting the common tools and CDNs while being aggressive about untrusted and known-malicious sources. I've had Privacy Badger block my personal website when I've used it to host images elsewhere, to give you an example of its intensity.

It's your choice, but considering that there exists tools to allow for browsing on websites that (agree with it or not, it is 2019 and it is the reality of the web) make critical use of javascript, NoScript is a naive approach to security at best, and a stubbornly outdated one at worst. It's certainly not a compatible philosophy with Flarum and other javascript-native apps.

rob006

[deleted] right, but you're essentially disabling a significant portion of flarum's capabilities by not permitting JS.

Not significant, but basically all capabilities of Flarum. Flarum is unusable without JS (it does not have even navigation between no-JS pages of topic).

[deleted] I assume you're aware that JS is in fact only a minor percentage of security threat in today's world.

If we exclude cases like "Oh, I will download this nice exe file and run it to check what it is", JavaScript stuff is responsible for almost all security issues related to browsing the web. Every dangerous API and advanced tracking is related to JavaScript. You may focus on things like encryption or security headers, but this is relevant only if I, as a user, trust your website (or at least I accept some risk to use it with JS enabled). And I don't trust websites which I'm seeing first time in my life. If it will not show me any valuable content, it does not even have a chance to earn my trust.

jordanjay29 It's certainly not a compatible philosophy with Flarum and other javascript-native apps.

I'm pretty sure that in 10-20 years we'll be laughing at all these "javascript-native blogs", in the same way as now we're laughing from these old flash-websites without any content, just fancy effects after clicking menu button. 😉

tankerkiller125

rob006 There will always be a trade off for security and privacy. I deal with these kinds of issues daily at work when planning out new security measures. Things like if we encrypt all of USB drives it protects our data from being stolen by accidental loss of the USB drive. But if we do that then we can't use our USB drives on any computer that isn't connected to Active Directory network. If we enable MFA it greatly decreases our risk of phishing attempts being successful, but at the cost of time, training and potentially breaking important internal applications. So forth and so on, every action has a risk, every security/privacy measure has an impact on usability. If you wanted to be truly secure you would isolate your computer entirely, use an operating system you built yourself, never connect to the internet, keep it in a faraday cage and never connect it to anything but batteries. But at the cost of an entirely unusable computer.

Also even without JS you can still be vulnerable to attack, all it takes is someone making a discovery about the way the browser handles HTTP headers, URLs, CSS, fonts or HTML or anything else and using just the server logs with a little Machine Learning someone can learn a lot about you and your browsing habits. I understand your security concerns and privacy concerns I really do, however you have to question if being unable to use a lot of websites properly is worth the tiny bit of extra security you gain.

[deleted]

rob006 JavaScript stuff is responsible for almost all security issues related to browsing the web.

That's a ridiculous statement. Certainly not true at all.

rob006

tankerkiller125 I understand your security concerns and privacy concerns I really do, however you have to question if being unable to use a lot of websites properly is worth the tiny bit of extra security you gain.

I'm not sure that you understand my situation. I can add exception to specific domain and use it with JS. NoScript does not stop me from using any website, it just gives me option do decide "do I really want to use this website which contains scripts from 25 different services (20 of them is used for tracking or serving adds)? Maybe I can just allow scripts from main domain and still block everything else?". It may be a little annoying in some cases, but it also removes a lot of noise from websites and prevents from running cryptocurrency miner on my browser. 😉

[deleted] That's a ridiculous statement. Certainly not true at all.

Whilst we are all entitled to opinions, it might be better if they are kept to yourself as this can cause unnecessary offense to others.

😉

[deleted]

rob006 sorry. Couldn't help myself 🤭
My point is that whilst JS certainly does exacerbate security issues, it's not even remotely as responsible for holes in web security as you may think. Sites without JS can be easily vulnerable to SQL injection, directory browsing and enumeration etc. WordPress for example is easily breached with poor security permissions, and placing config.php in the root. Not to mention full site takeover in about 3 steps with vanilla WordPress out of the box.

There is no single scripting language responsible for the world's data breaches and security incidents alone. Collectively, and working together, they often create vulnerabilities in each other. Similarly, you shouldn't rely solely on client side scripting. Server side incudes should always handle the back end transaction, but even with JS disabled, it's shockingly simple to inject a malicious payload into simple GET and POST requests

rob006

[deleted] I was talking about client side threads (so attacks on browser and client OS). Disabling JS is client/browser decision, it has nothing to do with SQLI or any other attack on web app itself...

[deleted]

rob006 hence my original point about JS being responsible for most web attacks. I'd also not need a web browser to figure out what OS you are using, and formulate an attack based on that.

The overall point here is that unless you allow JS, Flarum isn't going to work. Your choice.

rob006

[deleted] hence my original point about JS being responsible for most web attacks

I'm not sure how did you connected disabled JavaScript with server-side security (which has nothing to do with client side).

[deleted] I'd also not need a web browser to figure out what OS you are using, and formulate an attack based on that.

I dare you. Create a website which will do anything harmful with my computer with JS disabled. I can give you my user agent if you want (a real one!). 😉

[deleted]

rob006 I dare you. Create a website which will do anything harmful with my computer with JS disabled

Be careful what you wish for. JS really isn't the only thing that can damage the client side.

rob006 which has nothing to do with client side

I'm well aware of that. It doesn't matter anyway. I've a feeling you're going to be "right" no matter what.

rob006

[deleted] Be careful what you wish for. JS really isn't the only thing that can damage the client side.

As I said, feel free to show an example 😉.

[deleted] I'm well aware of that.

Then sorry, moving from "I have disabled JS in my browser for security" to "disabling JS will not protect you from SQL Injection" is too abstract for me...

010101

rob006 I gave a list of missing features, and non-JS support was not on it.

You started all of your arguments with a screenshot showing non-JS support. You just want to argue. I'll agree to disagree. Peace and love to you. Keep on browsing the web the way you want to browse the web. 🙂

And, I need to correct myself. This just goes to show that I never turn off JavaScript 😆 ... I made a comment about linking to RSS as a solution so that things are at least readable (010101). Turns out, Flarum already has great non-JS support. I just turned JavaScript off and you can read all the posts. Which I'm sure most people reading this will say, yeah, duh. But, throughout my 25 years of using the Internet, I just never feel the need to turn JavaScript off. The only time I turn it off is when I'm building a website and have to turn it off to see what will happen. Because of people who turn it off.

amdad

hrvoje_hr nope

« Previous Page