← Back to context

Comment by pabs3

4 days ago

There is just a small JS shim from the extension to the Python code, but yes.

The benefit is that you don't need to enable arbitrary code execution in your browser. A variety of benefits flow from that; static pages, almost no advertising, fewer working paywalls, smaller attack surface etc.

4 comments

pabs3

Reply
esperent  4 days ago

> static pages

I'm not sure I agree that it's a static page if there's a web extension running JS involved in the page render. I guess it's a grey area.

> almost no advertising, fewer working paywalls

We're talking about Mastodon, right? I thought it would not have those.

> smaller attack surface

This one I'll give you, but what kind of attacks would you expect from a Mastodon instance?

If all of this is a big enough issue to make you disable JS in the browser, wouldn't it be reasonable to whitelist Mastodon instances that you use?

  • pabs3  3 days ago

    I was mostly speaking to the general advantages of not enabling JS.

    > static pages

    As in it won't change after you load the page.

    > almost no advertising, fewer working paywalls

    Indeed, haven't seen these with mastodon instances, but you never know when that will start happening.

    > smaller attack surface

    The instance could have been hacked, or you could have angered the admin, or you could have angered some other user who knows of a vulnerability they could leverage to send you custom JS.

    The JavaScript sent by Mastodon is obfuscated, so it isn't reasonable to expect to be able to audit it and mark it as safe. You could YOLO and allowlist an JS from trusted instances of course, but that opens you up to the scenarios above.

    • esperent  3 days ago

      > Static page... As in it won't change after you load the page.

      That's not what static means in the context of web development. It means that the html is delivered from the server in a static form and doesn't need to be changed in any way to be displayed.

      > The JavaScript sent by Mastodon is obfuscated, so it isn't reasonable to expect to be able to audit it and mark it as safe

      This is what file hashes are for. But agreed, you do need to trust the upstream file provider. I had assumed that a federated system like Mastodon had considered this already and had a way of confirming js hashes to ensure against rogue nodes. Is that not the case? If so it seems like an oversight.

      But anyways, thanks for replying to me. I asked because, as a web developer, I'm always curious about why people disable JS. I have yet to be convinced of any valid reasons for most people to do it, but I can understand that some people have stronger security concerns. For those people though, it always feels like it would make more sense to spin up a VM and browse inside there with all the unsafe JS, rather than enduring a daily struggle through a litany of websites that don't work properly.

      1 reply →