NoScript Awarded $10,000

An anonymous reader noted an interesting bit of information about a tool a ton of Slashdot users make use of every day: "NoScript has been chosen as the recipient of the DRG Security Innovation Grant. This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day. The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environment."

Did they also get a grant...

[twocows]

Did they also get a grant for messing with other addon settings so their ads show up on their homepage [slashdot.org]?

Re:Should have been a default in browsers from day

[uigrad_2000]

Ghostery [ghostery.com]exists for Firefox/Chrome/IE/Safari, and can be taught to behave as noscript.

Re:Not the holy grail of browser security

[Anonymous Coward]

here are plenty of vulnerabilities found that do not need scripts

For many of them (e.g. Clickjacking or cross-zone CSRF with DNS rebinding) NoScript features specific countermeasures which go far beyond script blocking.

Furthermore NoScript blocks plugins, XSLT, HTML5 media and web fonts on untrusted sites, which reduces the attack surface to HTML/CSS parsing or image decoding vulnerabilities, relatively rare nowadays. And even those, usually, still require scripting to be exploitable on modern systems (e.g. for heap spray preparation).

Re:Should have been a default in browsers from day

[nabsltd]

This, exactly. I would rather backup my machine properly and practice safe browsing habits then put up with NoScript's bullshit. Ive read for years people extolling its virtues, but i personally cannot stand the neutered web it presents.

The whole point of NoScript is to allow you to control whether scripts run on a finer level than the "off/on" that browsers support natively, and it does that easily, with one click per domain.

If you use NoScript to deny scripts globally, then you are using it wrong. Instead, you enable each domain (just once, as NoScript remembers the setting) that you deem safe. This makes browsing much more secure, although you can still be caught if a trusted domain starts serving malware scripts, but it's better than being open to attack from every domain.

Flash *does* support screen readers

[Anonymous Coward]

I'm not a big fan of Flash on the web, but it is absolutely untrue that Flash doesn't support screen readers. http://www.adobe.com/accessibility/products/flash/best_practices.html [adobe.com]

What is true is that it is possible to build websites in either HTML or Flash that don't support screen readers.

Re:Should have been a default in browsers from day

[Anonymous Coward]

It was. Netscape up to version 3 had menu items that would turn JavaScript on and off, and images on and off. For NS4 those were buried in the settings dialog, and were therefore not easily switched on the fly.

PrefBar [tuxfamily.org] restores this functionality. Single-click control of images (for those not-necessarily-SFW threads), colors (for that asshat on FailSpace who thought that red on a green background was a good idea), and of course, Javashit, Java, Flash, cookies, referrer-sending, and so on.

If nothing else, use it for speed.

[dezert1]

Not having JS loading makes all pages load incredibly fast. Use it like a turbo button. That combined with Ghostery and Better Privacy make for a pretty good browsing experience (and shows you what each page is attempting to do). If you are looking for perfection, there is nothing stopping you from writing your own browser. NoScript is the biggest reason I stick with FF. Love it!