Comment by wtallis
5 years ago
"Block all JavaScript" never required an extension. All the browsers have an option to turn JavaScript off entirely. NoScript started out as a way to provide an easy UI for selective blocking of scripts.
But it experienced the best kind of scope creep: it gained the ability to block other dangerous web features (eg. Flash and other plugin objects, web fonts, etc.), gained features to make life easier when blocking scripts (ie. the surrogate scripts feature), gained other security features for blocking evil actions by the scripts that are permitted (XSS blocking, clickjacking protection), and helped pioneer some security measures that weren't related to scripting (HSTS, ABE as a precursor to and superset of CORS).
IIRC if you turn JS off in the browser, the "noscript" blocks on sites get executed. But if you turn NoScript on, the "noscript" blocks aren't executed.
They are not "executed". They are displayed to user.
Thanks for the correction. My point remains that the "NoScript" extension doesn't do anything with those "noscript" blocks, so they're not shown to the user despite the user not executing JS on the site.
This is a bit of a PITA when one tries to make the site "work well" with JS both enabled and disabled; or provide _alternatives_ for when the user-agent isn't running JS.
Those work really well when the user-agent is blocking JS globally, but not for NoScript: broken behaviour everywhere.
1 reply →