Javascript and security

8 Antworten [Letzter Beitrag]
amuza
Offline
Beigetreten: 02/12/2018

Allowing a browser to run every javascript code is a bad idea regarding freedom and security.

How much would Firejail protect that browser from javascript in terms of security?

I will understand if this question is not answered as it could lead people to run non-free javascript.

Geshmy
Offline
Beigetreten: 04/23/2015

>How much would Firejail protect that browser from javascript in terms of security?

Firejail as I understand it isolates your browser from other parts of your system so that any damage that tries to come via the browser is limited.

To protect from javascript probably best to use a plugin like NoScript or uMatrix.

I could be wrong.

PublicLewdness
Offline
Beigetreten: 03/15/2020

I've never used Firejail before but as I understand it it would be a compromise in compared to an extension like LibreJS. Extensions will mean sketchy JS scripts won't load but then some websites won't work. With Firejail they will still run but in theory wouldn't cause damage to or expose the rest of your system. I guess it depends on how much one trusts Firejail. I haven't really looked into it much. It's easy to say just block all closed source or sketchy JS with an extension but if it renders websites you need access to useless then it isn't an ideal solution for some.

amuza
Offline
Beigetreten: 02/12/2018

> How much would Firejail protect that browser from javascript in terms of security?

I think my question was not correct. Maybe this way is bit better:

In terms of security, how much protection would a system get from Firejailing a browser that is allowing every javascript?

Anyway it seems my question was understood. Thank you for the messages.

andyprough
Offline
Beigetreten: 02/12/2015

> I think my question was not correct. Maybe this way is bit better: In terms of security, how much protection would a system get from Firejailing a browser that is allowing every javascript?

It's still not a great question - you should NOT allow all javascript, as there is known malicious javascript in the wild that you will run into on websites if you browse enough. You should at a minimum use the noscript extension if you have any kind of a healthy concern about javascript. GNU has a stronger javascript extension called Librejs. Or, if you can live without js at all, you'd be best off to turn it off altogether.

Firejail is very powerful security for your browser, with its primary task to shield the rest of your system from your browser or other programs via sandboxing. So if someone DOES hijack your browser, the amount of damage they could do to your system is very limited if you are using firejail.

koszkonutek
Offline
Beigetreten: 03/19/2020

> GNU has a stronger javascript extension called Librejs.

What do You mean by stronger? It's a way smaller extension than NoScript and it actually blocks less - because it allows some trivial js and js with licenses attached. Also, NoScript features some XSS protection and it can also be configured to block iframes, videos and other stuff. That makes NoScript a stronger extension, I think.

Actually, I am surprised to see Librejs still mentioned on this forum. There was one thread (gone now) where I and Chaosmonk pointed out many of its conceptual and implementation flaws.

andyprough
Offline
Beigetreten: 02/12/2015

> What do You mean by stronger?

Stronger in that it completely blocks the non-libre js by default (last time I checked), whereas NoScript allows a lot of "trusted" non-libre js through by default.

> Also, NoScript features some XSS protection and it can also be configured to block iframes, videos and other stuff. That makes NoScript a stronger extension, I think.

I'm in total agreement that noscript is a much better overall security tool. I recommend it every chance I get. Librejs is not the same at all.

> There was one thread (gone now) where I and Chaosmonk pointed out many of its conceptual and implementation flaws.

That's kind of irrelevent - I don't always agree with Chaosmonk, just like I would be unlikely to always agree with you. However, on this subject I think you and I are on the same page basically, in that we both prefer noscript as our security tool of choice for dealing with js.

koszkonutek
Offline
Beigetreten: 03/19/2020

> NoScript allows a lot of "trusted" non-libre js through by default

Now that You mention it - I indeed remember removing that default whitelist every time I set up a browser with NoScript :)

> I don't always agree with Chaosmonk, just like I would be unlikely to always agree with you.

And everyone is quite unlikely to always agree with anyone. Sad... But true

gaseousness
Offline
Beigetreten: 08/25/2020

"LibreJS is not a security tool. Its goal is to detect nonfree nontrivial JavaScript, and it currently does not detect whether free or trivial code is malicious or not. Other free Mozilla extensions and add-ons may be available for this purpose. " https://www.gnu.org/software/librejs/manual/html_node/Disclaimer.html#Disclaimer

librejs and noscript work well together in my opinion.