Comment by esperent
4 days ago
> I'm working on adding a WebExtension that would let you use it in the browser.
Doesn't that just move the JS from the browser into the extension? What's the benefit?
4 days ago
> I'm working on adding a WebExtension that would let you use it in the browser.
Doesn't that just move the JS from the browser into the extension? What's the benefit?
There is just a small JS shim from the extension to the Python code, but yes.
The benefit is that you don't need to enable arbitrary code execution in your browser. A variety of benefits flow from that; static pages, almost no advertising, fewer working paywalls, smaller attack surface etc.
> static pages
I'm not sure I agree that it's a static page if there's a web extension running JS involved in the page render. I guess it's a grey area.
> almost no advertising, fewer working paywalls
We're talking about Mastodon, right? I thought it would not have those.
> smaller attack surface
This one I'll give you, but what kind of attacks would you expect from a Mastodon instance?
If all of this is a big enough issue to make you disable JS in the browser, wouldn't it be reasonable to whitelist Mastodon instances that you use?
I was mostly speaking to the general advantages of not enabling JS.
> static pages
As in it won't change after you load the page.
> almost no advertising, fewer working paywalls
Indeed, haven't seen these with mastodon instances, but you never know when that will start happening.
> smaller attack surface
The instance could have been hacked, or you could have angered the admin, or you could have angered some other user who knows of a vulnerability they could leverage to send you custom JS.
The JavaScript sent by Mastodon is obfuscated, so it isn't reasonable to expect to be able to audit it and mark it as safe. You could YOLO and allowlist an JS from trusted instances of course, but that opens you up to the scenarios above.
2 replies →