[Cryptography] Crippling Javascript for safer browsing

Jerry Leichter leichter at lrw.com
Wed Jun 4 22:40:58 EDT 2014


On Jun 4, 2014, at 9:05 PM, John Ioannidis <ji at tla.org> wrote:
> Jerry, you know very well why none of these are ever going to happen. Why are you even bothering to enumerate them?
> 
> A certain browser vendor won't even give you the ability to change the default font size and scale the rest of the screen accordingly -- if it looks good on the screen of the the squirt who wrote the code, they don't care about what screens others might have. And you expect them to ship changes that would break that model?
I expect nothing from the usual gaggle of browser vendors.  But that doesn't mean it wouldn't be possible to create a new, safer browser - say by adding options to (if the upstream maintainers will accept them) or forking (if they won't) WebKit.  These would be fairly isolated and shallow changes, so even if you have to fork, bringing over WebKit updates should be simple.

If you can get an uptake comparable to NoScript, people will notice - and that should be possible.

The days of competition on "percentage of features supported" are thankfully long gone.  No one is going to win any battles against a reduced Javascript browser by saying "we implement 100% of the Javascript standard".

Google still believes that the browser should replace the operating system, so I don't see Chrome going along.  Apple and Microsoft, on the other hand, aren't nearly as reliant on Javascript, and one could imagine them adding support for "reduced Javascript" just to cause Google grief.  I have no clue what Firefox would do - probably add separately settable options for each feature in Javascript.  :-)  Is there anyone else even worth mentioning?

A private WebKit won't directly get you into iOS because Apple insists that you use their own Webkit, but hey, that's OK; you can't please everyone.  (Besides, if you really want, you can get an iOS developer's license for $99/year and then build whatever apps you want for your own phone.  As long as you don't submit them to the App Store, the App Store rules are irrelevant.)

A personal experience on this front:  Many years ago - the young'uns may not recognize some of the terms in the rest of this sentence - I used Netscape on a Sun X server box with a black and white CRT as the display.  HTML was evolving rapidly at that point, and all of a sudden you could set a background image on pages.  Everyone did - usually with no taste and no thought about how (un)readable the result would be, especially on a black and white screen.  Many sites became unusable.  I fixed this by finding the string constant for the HTML element to set the background to something else.  I didn't have the sources and didn't feel like building them, so I just patched the executable - EMACS makes a fine binary patcher when all else fails.  Sites using the actual spec'ed element ... were readable again.  I think I may have done the same thing again later when <BLINK> became all the rage.  If some site had known to send me <xLINK> in their HTML, they might have been able to annoy me - but not with <BLINK>.

                                                        -- Jerry



More information about the cryptography mailing list