I have a few questions

25 replies [Last post]
Nickman
Offline
Joined: 12/09/2016

Hi guys, I have a few questions, first is there a flash player on Trisquel that allows ads to be played and allows you to play games, I spoke with a friend who says Trisquel is awesome, but a flash player is lagging that allows YouTube ads to play and games to play

Second, does Trisquel support canon printers my printer is a MG7720

onpon4
Offline
Joined: 05/30/2012

> first is there a flash player on Trisquel that allows ads to be played and allows you to play games

Realistically? No. Gnash isn't compatible with anything newer than around Flash 8 or 9, and most uses of Flash require version 10 or later. Besides, all of these programs are proprietary, so that would completely defeat the purpose of using Trisquel in the first place.

It's misguided to make yourself watch ads to support people making videos. Realistically, each ad you watch is contributing a fraction of a cent to them, and most of the revenue is going straight to Google. If you want to support someone, you should do so directly. Even just sending a dollar every month is substantially more effective than watching all the ads you possibly could.

(Edit: But I don't think YouTube requires Flash for ads anymore. The JavaScript-based player is fully-featured as far as I know.)

As for games, try the repository, or here:

https://libregamewiki.org

> Second, does Trisquel support canon printers my printer is a MG7720

The easiest way to find out is to run a live CD and check yourself. You can do so without installing anything.

Nickman
Offline
Joined: 12/09/2016

how's the development of your game going btw

I plugged in my flash drives to see if another distro would install that t3g brought up (Solus) and dual boot it with Trisquel after I got Solus working, however I found out that I don't have enough storage on both of them, not even for the Trisquel mini version

I do agree with you though I should donate to people instead of watching ads

Majin Buu
Offline
Joined: 11/05/2016

> The JavaScript-based player is fully-featured as far as I know.

The YouTube player is proprietary!!
The best way to watch youtube videos is using a third-party script to download them.

Nickman, you can try using youtube-dl (in Trisquel repos), downloadhelper (https://downloadhelper.net) or 1 Click YouTube Video Download.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Search, browse, view, download youtube cats vids ->
https://github.com/mps-youtube/mps-youtube

Magic Banana

I am a member!

Offline
Joined: 07/24/2010
onpon4
Offline
Joined: 05/30/2012

I know, but Abrowser doesn't block JavaScript by default, so in a question about whether or not it would work, I saw no sense in bringing that up.

To be perfectly frank, I think we should be designing our browsers to block all JavaScript by default. And until some functionality to finely control JavaScript execution (up to and including choosing a different script instead of the one requested) as outlined in my essay[1] is developed, enabling of JavaScript should be indicated as a highly dangerous last resort attempt to get the Web page to work.

Furthermore, while this is the state of affairs. the browser should have a button to enable the user to do this just once to see the JavaScript-ridden version of a single page (such that pressing a button reloads the page with all JavaScript enabled, but leaves it disabled everywhere else and doesn't cause the JavaScript to load again when the same page is loaded again). That way, it could be shipped to people who aren't experts with JavaScript disabled by default and not be useless to them. I proposed this a little more than a month ago on the bug-gnuzilla mailing list and offered a $50 bounty for a Firefox extension that does it, which still stands. Even better would be for this to be integrated into IceCat and Abrowser.

hack and hack
Offline
Joined: 04/02/2015

Not sure if it's what you meant, but NoScript seems to do just that : disable by default and temporary allow a page when requested.

Regarding JavaScript, I still wonder if Firejail is good enough as a defense.
To my understanding, JS can collect data (nothing Firejail could do about it, But NoScript can to some extent), and run code on the Browser, and on the computer (but I'm really not sure about the latter).
From there, since Firejail (with an option) can limit access to the computer from outside to only one folder (which can be empty or not). So in theory the PC is safe, but the browser? Not so, I guess.

Assuming my rambling above is true, I wonder how to protect the browser. But I'd needto understand the threat first.

onpon4
Offline
Joined: 05/30/2012

No, NoScript allows you to enable scripts based on the origin of the script, not the Web page you're visiting. Also, I'm suggesting something that allows the scripts to execute once, not a toggle switch that you have to remember to turn off again. Multiple people were telling me that NoScript does what I'm suggesting on bug-gnuzilla, too. I don't understand why so many people cannot comprehend this distinction. It's not that complex.

NoScript may be fine for advanced users who are willing to do extra work any time they visit a Web page. It is not fine for delivery in a browser by default with JavaScript disabled. Any non-technical user who even figures it out rather than flat-out enabling JavaScript globally will permanently enable JavaScript on the sites they use often, because doing it temporarily is just incredibly inconvenient: you have to enable each of the sources one at a time, and you have to remember which ones are important; or you have to click "temporarily allow all" a million times until it works, in some cases wasting up to a full minute waiting for a single page to load the same set of JavaScript files multiple times.

hack and hack
Offline
Joined: 04/02/2015

It's safe to say that I don't get your point.
It's complex enough to me. Isn't the origin of the script = the webpage I'm visiting?

But you also write about an option for injecting one's own JS instead, right? OK, this is different, but I don't see that as something that's user-friendly either (IF that's what you meant). Wait, so provided the script works, there would be a way to enable the external script (always enabled for this page from now on).

But I agree that NoScript is complex and can lead to important mistakes.

Basically the difference is that it would totally block outside JS, and would allow to run personal JS easily, only for the pages needed.

If that's what you mean, it seems rather nice!

Now I wonder if it would work with Websites that demand some JS just to access the website (else, blank page).Maybe this kind of JS would require specific things included.
But hey, it's only an option, so worst case, we could disable that extention temporarily to use NoScript for specific cases.

onpon4
Offline
Joined: 05/30/2012

> Isn't the origin of the script = the webpage I'm visiting?

No. A lot of scripts come from a CDN, or from an external API (e.g. ajax.googleapis.com, which is one of the more common ones).

> But you also write about an option for injecting one's own JS instead, right?

That's unrelated to my proposal. It's one of the things that would be necessary for JavaScript on the Web to actually be acceptable. My simpler proposal is just designed to make it feasible to disable JavaScript for non-technical users. It's a step toward eliminating JavaScript, rather than attempting to fix it.

hack and hack
Offline
Joined: 04/02/2015

Oh, like Decentraleyes? Does that do the job? If the origin is clean, then it should be OK.

I just went into the options and disabled a few options I never need (allow JS globally for example). They're not displayed in the contextual menu anymore. It doesn't solve everything you mentioned though. But maybe in association with Decentraleyes, it does.

And if you need to allow the script once, allow it temporarily.

Your essay is clear, but the extension you imagine is hard to understand.
How it is from a user's POV? Like I visit a website, and that's without JS by default. But I want JS for this site, so I allow it ONCE (and not related to a CDN, but to some script specially written for thi page?). Meaning next time I restart the browser and visit the site, it would be without JS?
So I'd have to enable it just once every single time?

I don't get it.

onpon4
Offline
Joined: 05/30/2012

> Oh, like Decentraleyes?

No, no, no. Read carefully.

I'm talking about:

1. Disabling JavaScript. All JavaScript, regardless of source, content, and anything else.
2. Providing a button that immediately makes all JavaScript code requested by the current page only run once. As in, exactly the same thing that LibreJS's "temporarily allow all" option does.

Note that this has nothing to do with attempting to control which scripts get executed. That's too complicated for non-technical users. Instead, it's about when JavaScript is executed.

So suppose our non-technical user uses this browser to do the following:

1. Go to Google and search "cats".
2. Open a blog in the Google search.
3. Click on a link to a YouTube video and watch it.
4. Click on a download link in the description that points to Mediafire.
5. Go to the Troll Lounge and post a picture taken from what was downloaded.
6. Go back to the YouTube video to check the title.
7. Click on an ad which leads to a shifty website that distributes a virus.

For 1, 2, and 5, the user will be able to do the task just fine without JavaScript. Therefore, they get the benefits of not having JavaScript on.

For 3 and 4, the user will see that the page does not work. So they will click on our "Run Scripts (DANGER)" button. This will run scripts and cause the page to work. However, it will only do so that one time. So when they come back to the YouTube video in 6, the JavaScript code will not run, and since they only need to see the title, they will not push the button this time.

For 7, the user notices that the shady website doesn't work without JavaScript, but not recognizing it or seeing a deceptive URL, decides not to enable JavaScript and instead goes back to looking at pictures of cats.

So you can see from this example: this is a simple accessibility feature for non-technical users so that they can reap at least some of the benefits of disabling JavaScript. Additionally, it's a way to put pressure on website maintainers, however small: if JavaScript is disabled by default on people's browsers, that will make a slightly larger number of people click away without even bothering with whatever the website offered. A "complain" button (similar to LibreJS's feature) could also help with this.

hack and hack
Offline
Joined: 04/02/2015

I like it. I really do.
It's not perfect, but it's definitely safer than having JS on at all times.

I see 2 downsides : with NoScript, I can allow only the JS I need, not the whole list which mostly includes tracking stuff (I always wonder why they need to include so much of these).
But with your extension, it would allow all JS indiscriminately, right?

The other one would be for pages like Ebay, where one would have to allow JS for each inner page visited, and worse, it would be impossible to use since some need to be reloaded and have JS on before reaching the specific page (the payment one).

But if it's meant for two types of users, and if there's a fix for the Ebay case, then it works very well.

onpon4
Offline
Joined: 05/30/2012

> But with your extension, it would allow all JS indiscriminately, right?

Yes, it would be unconcerned with that.

But I think uBlock Origin does a fine job blocking that stuff, anyway (and in a way that works better than NoScript), so I don't think it's that big of a deal.

> The other one would be for pages like Ebay, where one would have to allow JS for each inner page visited

That's extremely uncommon. In the case of Ebay, it could be solved with a custom CSS style that prevents that stupid "enable JavaScript" window from showing up, because most of the site actually works just fine without JavaScript.

But where it does happen and is unsolved, I see it as a positive, because it puts pressure (however small) on the website maintainers to stop doing stupid shit like that.

> and worse, it would be impossible to use since some need to be reloaded and have JS on before reaching the specific page (the payment one).

It's been a long time since I ordered something from Ebay. Could you explain what you mean by this? It seems to me that in any case I can think of, it would just be a matter of pushing the button a couple extra times.

Then again, we've already established that Ebay's design is stupid, so I wouldn't be surprised if they screwed that one up, too. ;)

hack and hack
Offline
Joined: 04/02/2015

Ah yes, I need to study how some extensions do the same work. The less I have, the better.

On Ebay, there's the iframe (probably) you talk about, prompting to enable JS (and your idea would probably work just fine), but there's also the product's description that needs to be enabled at least, sometimes the product's image I think. Else, maybe it's needed for giving evaluation/comment.

Regarding payment, since I go for the lazy way, it's about enabling paypal. And it works only after enabling JS, and ONLY THEN refreshing the page (so JS would still be enabled. So pushing the button wouldn't be enough because after each refresh, JS would be disabled.
But I'll need to rethink the way I shop online (or offline, for that matter).

But definitely, it's the exception, shopping online is more complex than most types of websites.

For now, I browse with 90% without JS. I still shop online sometimes (some things can only be found there). Else I enable it for OSM, and I might do so for things like codecademy (it's been a while, but it was a nice way to learn, even if I forgot most of it haha...).

onpon4
Offline
Joined: 05/30/2012

> And it works only after enabling JS, and ONLY THEN refreshing the page (so JS would still be enabled. So pushing the button wouldn't be enough because after each refresh, JS would be disabled.

Then you misunderstood that. What I was suggesting the button should do is reload the page in the state of JavaScript being enabled. Again, just like the "allow all" option in LibreJS.

hack and hack
Offline
Joined: 04/02/2015

Indeed. Thanks for clarifying. That should work just fine.
Combined with firejail in private mode if no download is involved (well, for the slightly savvier users), that would be a good way to make rare exceptions for JS.

Also, that's assuming ublock origin actually allows only the minimal JS needed. But I doubt it since I run both (with default settings mostly), and I still can allow extra JS files for a given page in noscript.

Online chess, online coding courses, banking, that one link that demands JS (usually I dismiss it because I hate such behavior), all these are (to me) worthy of some JS exceptions.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>Regarding JavaScript, I still wonder if Firejail is good enough as a defense.
To my understanding, JS can collect data (nothing Firejail could do about it, But NoScript can to some extent), and run code on the Browser, and on the computer (but I'm really not sure about the latter).
From there, since Firejail (with an option) can limit access to the computer from outside to only one folder (which can be empty or not). So in theory the PC is safe, but the browser? Not so, I guess.

Firejail, just like apparmor or selinux (if u manage to spend 1000 hours in order to learn it, heh) can do a lot of prevention and limit a lot the surface you expose your computer to while using the given application, in this case the browser. It's the old sec motto of "least privilege".
A good browser profile for firejail, provided the firejail package in itself is well written and secure and the attacker manages NOT to break out of the sandbox, will limit a lot what the malware or in this case the proprietary javascript can do, read, write, access, modify etc

Are you familiar with the option "--private" firejail is blessed with?

Read the man for more info: man firejail.

hack and hack
Offline
Joined: 04/02/2015

Familiar is a big word, but yes, this is the option I was talking about (never tried it though).

Exactly, the question is whether the sandbox is reliable or not. After all, it's all code, and yet, some things are not possible if the permissions don't allow it.
It seems it works with something like root access (namespaces) ans something that reduces the attack surface on the kernel by filtering stuff.

It's most likely very hard to break, and most websites have other thing to do than invest code to break through computers anyway.

Because for some code being able to break sudo... Well it seems it's not yet possible :
https://arstechnica.com/security/2015/08/dram-bitflipping-exploit-for-attacking-pcs-just-add-javascript/

About other ways JS can be a threat:
https://arstechnica.com/security/2015/08/dram-bitflipping-exploit-for-attacking-pcs-just-add-javascript/
http://bestsecuritysearch.com/malicious-javascript-js-files-endanger-pc-security/

XSS is harder to understand quickly for me, but it seems it all comes down to executing some malicious JS file at some point.

And since never (ever) running JS isn't an option for most users, sandboxing limits the damage. The Firejail option is immensely better since it's not the /Home folder being exposed anymore, but a tiny folder.
So even running JS at all times could be "safe" (of course if one doesn't care about tracking).
But the browser (login info, bookmarks...) are still at risk though.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

I know the author of firejail is very dedicated to writing good code and he makes sure to upload the patches very soon, so hopefully it is reliable (well, in any case it won't hurt your sec if u use it..)
Yes, javascript is terrible stuff. I just wanted to remind you that noscript is not only a script blocker: ABE protection against CSRF and internet-to-intranet attacks, XSS, Clickjacking.

https://noscript.net/faq

In fact I install it even on my friends' laptops for the above reasons when they ask me to help them with some issue (purging malware or OS re-installation mainly). I know they would got mad if I did not check the square "allow scripts globally", which I do, and then I open the "customize" tab and hide noscript from their view. They don't even know it's there and still get some important protection.. :)

onpon4
Offline
Joined: 05/30/2012

Forgot to link this:

[1] https://onpon4.github.io/other/kill-js/

IrishUSA
Offline
Joined: 12/03/2016

Your comments in this thread (and in the link you provide) are terrific. Principled, informative, innovative, focused, and important.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>To be perfectly frank, I think we should be designing our browsers to block all JavaScript by default.

(+1) * 24322352523

santo-subito.jpg
JadedCtrl
Offline
Joined: 08/11/2014

Youtube-dl and mps-youtube have already been mentioned, but here's my shameless self-plug:
https://github.com/jadedctrl/shellTube
It's written in shell, so all you'll need is bash and wget/curl.

Nickman
Offline
Joined: 12/09/2016

Thanks SuperTramp, magic and Majin for the info