I have an easier fix...
I configured my browser to never run JavaScript in the first place. There, security door closed, barred, & welded shut. Job done.
Microsoft is conducting an experiment it hopes will improve browser security – by making its Edge offering worse at running JavaScript As explained in a post by Johnathan Norman, the vulnerability research lead for Microsoft Edge, JavaScript is the juiciest target when trying to crack a browser – because engines like Google's …
That's similar to how I protect myself from car crashes. I never travel in an automobile. Likewise I know I'll never get food poisoning because I've stopped eating!
Bur seriously, if you don't run JavaScript in your browser you're not using 95% of the web. That's your choice, but your post implied that you still had a use for your browser. I guess you spend a lot of time on the wayback machine....
I'm not sure how you came to this but most sites work fine or with minimal degradation without JavaScript. There are poorly written sites which fail to and some web apps genuinely need it, but for the most part not any you'd miss. HTML5 continues to narrow that gap too.
"Most sites" is not a useful description. If your banks website uses JS then you need to use JS or go the ATM or teller window. If you use the Github website you need JS.
If you need to to route planning with a specialized interactive maps for as used by various kinds of sporting sites (hiking, bicycling), then you need JS. The same for weather, fire, and smoke maps.
As far as the content of this article goes, JIT optimization is probably not critical to using a bank site or the Github site. JS is only barely used, and the display is nearly static.
On the other hand, for the dynamic map related sites, JIT probably makes a huge difference.
As it so happens, security is critical for the former (banks, Github), and not for the latter (maps). So the ability to turn off JIT per site would be a practical security feature with low user inconvenience.
Nevertheless insecure actions can leak out from any site and go as far reading arbitrary data in OS memory (Meltdown and Spectre). If that is your criteria, then JS in a browser should never be used on a system with vulnerable information. Even running JS in a browser on dedicated separate computer isn't enough because it will be necessary to enter passwords for various sites into that browser, and those passwords can then snooped.
An intermediate strategy would be always running a browser in a sandbox which is isolated from the main file system, the clipboard, and also from the main X screen buffer. I've actually done that out of curiosity using linux containers, but the UI was ugly. A container based system with (file system, clipboard, X buffer) isolation and with all the ugliness ironed out would be a great help. Executable in a single line `run-isolated <browser or app>`. Even if used an extra 4GB.
The "Bromite" browser, a Chromium fork that removes privacy-averse functionality, has the following setting:
"Disable JIT: Improve security at the expense of performance by not compiling JavaScript to native code (requires browser restart)."
Gee, I wonder where Microsoft came up with the idea.
If you want focused control over JavaScript, use the "Privacy Browser" from F-Droid or Play, where it is disabled by default. A simple toggle will allow interactive code, or halt bad behavior.
Does that include the "The Register"? All your upvotes depend upon javascript
They were cast thanks to this
function cast_vote(link){link.blur();if(vote_already_cast(link))return;var count=get_count(link);count.node.data=count.node.data.replace(count.value,count.value+1);link.attr('data-user-vote','true');}
and you know about it thanks to this
function get_count(link){var node=link.contents().filter(function(){return this.nodeType===3&&!isNaN(parseInt(this.data,10));}).get(0);if(typeof node==='undefined')return;return{'value':parseInt(node.data,10),'node':node};}
However, "The Register" is an example of a site where JIT is absolutely not required.
This post has been deleted by its author
Might be a while before the silly name gets changed. After all it was many years before the "Squeaky Lobster" Exchange server registry value became the much more boring "Show Advanced Counters".
I came here expecting the usual "NoScript/I disabled javascript" posts and was not disappointed. Along, of course, with the "If yoiu disable JavaScript the whole internet will break" (again, not disappointed)
And, of course, they're missing the point. Microsoft isn't attempting to mitigate every flaw in JavaScript. They, along with the majority of the world, have accepted that considerably more than 99% of users aren't going to do that because they want to use the full functionality of the web or are completely unaware/unbothered by the additional security risk of JavaScript.
Instead Microsoft are basically targetting the folks who might hit the "secure" button if one is provided and seems to provide an acceptable level of functionality to them. I don't doubt that their marketing people are also getting all sweaty-handed about the notion of using the slogan "The most secure browsing experience" if they have the slightest excuse to use it.
You're absolutely right.
The average user wants his shiny web and isn't going to turn off something that spoils it. I would guess that part of the experiment is to see if users even notice that Javascript elements are not being compiled just-in-time. I suspect not.
Unless it goes Total Infrastructure Trainwreck Subverting Usability Performance, I wouldn't be surprised to see if switched on by default.
more than 99% of users aren't going to do that because they want to use the full functionality of the web
Not sure you have found the right 99%. How about:
A) 99% of users do not know disabling javascript is still possible.
B) 99% of users do not know how much better many sites work with javascript disabled.
C) 99% of users do not know when a site shows an almost blank page with "javascript required" there will often be other sites that are more useful and work fine without javascript.
I am fairly sure I still have is wrong:
A) 99% of users do not know how to bookmark a link, use a web search instead and arrive at a scam/scalper site half the time.
B) 99% of users do not know that it is possible to configure a browser at all let alone why they would want to.
C) 99% of users do not know how to change the default browser and end up with the one provided by the most dishonest ad-seller. (dishonest can apply to ad or seller)
I am glad Microsoft have taken half a step towards sanity. I am glad a few of the 99% will still get some option to configure their browser towards security without making the all effort that the other 1% need to make.
And yes indeedy, way too many badly coded websites everywhere, which, if I *must* access, after the due dance with kittens above my head, I open Chrome and use that. JavaScript is a crutch, y'all scripkiddies everywhere, here, I said it. IMHO not better than Flash, as to adding value. Seldom, or ever, in any of the websites that I need, does it really improve usability, way to the contrary. Gaming? sure. Other addiction-inducing web content? why not! Standard informative, education, business sites, especially banking, glad when it's obvious that a good coder was involved and kept the pox away.
Using Edge without JS? anyone who has a bit of choice and has the very basic savvy will not use Edge, to gebin with. 2) those who still use Edge probably are the kind of people that use sites like Pinterest, which will not run without JS, so this block is a non-starter. I am starting to feel that this whole announcement is sort of a troll.
OTOH, for my work, sometime I must include JS, because I must. Makes for mixed feelings about it...
I bet disabling JIT for Microsoft's vscode, which runs in Electon (a branch of the Chromium browser designed to be a dedicated app), and comes in a snap package on Ubuntu, would make it unusable.
Interestingly, snap packages have the builtin ability to have a "sandbox" flag set on installation. This should keep the root file system safe (but not the user file system, I think).
Unfortunately, if the sandbox flag is set for the vscode code snap package, vscode won't work :(
-- What is JIT and why is useful?
A layman explanation: https://blog.bitsrc.io/the-jit-in-javascript-just-in-time-compiler-798b66e44143 . Basically, it detects which parts of the javascript are being run repeatedly, and creates on-the-fly compiled versions of that code. There are two levels of optimzation available depending on how much the code is run: "warm" and "hot".
-- Why is JIT vulnerable?
An experts explanation in a industry paper: https://www.ndss-symposium.org/wp-content/uploads/2020/02/24262.pdf
> Data-only attacks against dynamic scripting envi-
ronments have become common. Web browsers and other mod-
ern applications embed scripting engines to support interactive
content. The scripting engines optimize performance via just-in-
time compilation. Since applications are increasingly hardened
against code-reuse attacks, adversaries are looking to achieve
code execution or elevate privileges by corrupting sensitive data
like the intermediate representation of optimizing JIT compilers.
This has inspired numerous defenses for just-in-time compilers.
> Our paper demonstrates that securing JIT compilation is not
sufficient. First, we present a proof-of-concept data-only attack
against a recent version of Mozilla’s SpiderMonkey JIT in which
the attacker only corrupts heap objects to successfully issue a
system call from within bytecode execution at run time. Previous
work assumed that bytecode execution is safe by construction
since interpreters only allow a narrow set of benign instructions
and bytecode is always checked for validity before execution.
We show that this does not prevent malicious code execution in