NoScript Awarded $10,000 178
An anonymous reader noted an interesting bit of information about a tool a ton of Slashdot users make use of every day: "NoScript has been chosen as the recipient of the DRG Security Innovation Grant. This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day. The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environment."
Did they also get a grant... (Score:3, Informative)
Re:Should have been a default in browsers from day (Score:5, Informative)
Ghostery [ghostery.com]exists for Firefox/Chrome/IE/Safari, and can be taught to behave as noscript.
Re:Not the holy grail of browser security (Score:2, Informative)
For many of them (e.g. Clickjacking or cross-zone CSRF with DNS rebinding) NoScript features specific countermeasures which go far beyond script blocking.
Furthermore NoScript blocks plugins, XSLT, HTML5 media and web fonts on untrusted sites, which reduces the attack surface to HTML/CSS parsing or image decoding vulnerabilities, relatively rare nowadays. And even those, usually, still require scripting to be exploitable on modern systems (e.g. for heap spray preparation).
Re:Should have been a default in browsers from day (Score:5, Informative)
This, exactly. I would rather backup my machine properly and practice safe browsing habits then put up with NoScript's bullshit. Ive read for years people extolling its virtues, but i personally cannot stand the neutered web it presents.
The whole point of NoScript is to allow you to control whether scripts run on a finer level than the "off/on" that browsers support natively, and it does that easily, with one click per domain.
If you use NoScript to deny scripts globally, then you are using it wrong. Instead, you enable each domain (just once, as NoScript remembers the setting) that you deem safe. This makes browsing much more secure, although you can still be caught if a trusted domain starts serving malware scripts, but it's better than being open to attack from every domain.
Flash *does* support screen readers (Score:2, Informative)
I'm not a big fan of Flash on the web, but it is absolutely untrue that Flash doesn't support screen readers. http://www.adobe.com/accessibility/products/flash/best_practices.html [adobe.com]
What is true is that it is possible to build websites in either HTML or Flash that don't support screen readers.
Re:Should have been a default in browsers from day (Score:2, Informative)
PrefBar [tuxfamily.org] restores this functionality. Single-click control of images (for those not-necessarily-SFW threads), colors (for that asshat on FailSpace who thought that red on a green background was a good idea), and of course, Javashit, Java, Flash, cookies, referrer-sending, and so on.
If nothing else, use it for speed. (Score:3, Informative)