I have an easier fix...
I configured my browser to never run JavaScript in the first place. There, security door closed, barred, & welded shut. Job done.
Microsoft is conducting an experiment it hopes will improve browser security – by making its Edge offering worse at running JavaScript As explained in a post by Johnathan Norman, the vulnerability research lead for Microsoft Edge, JavaScript is the juiciest target when trying to crack a browser – because engines like Google's …
That's similar to how I protect myself from car crashes. I never travel in an automobile. Likewise I know I'll never get food poisoning because I've stopped eating!
Bur seriously, if you don't run JavaScript in your browser you're not using 95% of the web. That's your choice, but your post implied that you still had a use for your browser. I guess you spend a lot of time on the wayback machine....
I'm not sure how you came to this but most sites work fine or with minimal degradation without JavaScript. There are poorly written sites which fail to and some web apps genuinely need it, but for the most part not any you'd miss. HTML5 continues to narrow that gap too.
"Most sites" is not a useful description. If your banks website uses JS then you need to use JS or go the ATM or teller window. If you use the Github website you need JS.
If you need to to route planning with a specialized interactive maps for as used by various kinds of sporting sites (hiking, bicycling), then you need JS. The same for weather, fire, and smoke maps.
As far as the content of this article goes, JIT optimization is probably not critical to using a bank site or the Github site. JS is only barely used, and the display is nearly static.
On the other hand, for the dynamic map related sites, JIT probably makes a huge difference.
As it so happens, security is critical for the former (banks, Github), and not for the latter (maps). So the ability to turn off JIT per site would be a practical security feature with low user inconvenience.
Nevertheless insecure actions can leak out from any site and go as far reading arbitrary data in OS memory (Meltdown and Spectre). If that is your criteria, then JS in a browser should never be used on a system with vulnerable information. Even running JS in a browser on dedicated separate computer isn't enough because it will be necessary to enter passwords for various sites into that browser, and those passwords can then snooped.
An intermediate strategy would be always running a browser in a sandbox which is isolated from the main file system, the clipboard, and also from the main X screen buffer. I've actually done that out of curiosity using linux containers, but the UI was ugly. A container based system with (file system, clipboard, X buffer) isolation and with all the ugliness ironed out would be a great help. Executable in a single line `run-isolated <browser or app>`. Even if used an extra 4GB.
The "Bromite" browser, a Chromium fork that removes privacy-averse functionality, has the following setting:
"Disable JIT: Improve security at the expense of performance by not compiling JavaScript to native code (requires browser restart)."
https://www.bromite.org/
Gee, I wonder where Microsoft came up with the idea.
If you want focused control over JavaScript, use the "Privacy Browser" from F-Droid or Play, where it is disabled by default. A simple toggle will allow interactive code, or halt bad behavior.
https://f-droid.org/en/packages/com.stoutner.privacybrowser.standard/
Does that include the "The Register"? All your upvotes depend upon javascript
They were cast thanks to this
```
function cast_vote(link){link.blur();if(vote_already_cast(link))return;var count=get_count(link);count.node.data=count.node.data.replace(count.value,count.value+1);link.attr('data-user-vote','true');}
```
and you know about it thanks to this
```
function get_count(link){var node=link.contents().filter(function(){return this.nodeType===3&&!isNaN(parseInt(this.data,10));}).get(0);if(typeof node==='undefined')return;return{'value':parseInt(node.data,10),'node':node};}
```
However, "The Register" is an example of a site where JIT is absolutely not required.
This post has been deleted by its author
Might be a while before the silly name gets changed. After all it was many years before the "Squeaky Lobster" Exchange server registry value became the much more boring "Show Advanced Counters".
https://techcommunity.microsoft.com/t5/exchange-team-blog/from-crush-to-product-documentation-the-story-of-squeaky-lobster/ba-p/604691
I came here expecting the usual "NoScript/I disabled javascript" posts and was not disappointed. Along, of course, with the "If yoiu disable JavaScript the whole internet will break" (again, not disappointed)
And, of course, they're missing the point. Microsoft isn't attempting to mitigate every flaw in JavaScript. They, along with the majority of the world, have accepted that considerably more than 99% of users aren't going to do that because they want to use the full functionality of the web or are completely unaware/unbothered by the additional security risk of JavaScript.
Instead Microsoft are basically targetting the folks who might hit the "secure" button if one is provided and seems to provide an acceptable level of functionality to them. I don't doubt that their marketing people are also getting all sweaty-handed about the notion of using the slogan "The most secure browsing experience" if they have the slightest excuse to use it.
You're absolutely right.
The average user wants his shiny web and isn't going to turn off something that spoils it. I would guess that part of the experiment is to see if users even notice that Javascript elements are not being compiled just-in-time. I suspect not.
Unless it goes Total Infrastructure Trainwreck Subverting Usability Performance, I wouldn't be surprised to see if switched on by default.
more than 99% of users aren't going to do that because they want to use the full functionality of the web
Not sure you have found the right 99%. How about:
A) 99% of users do not know disabling javascript is still possible.
B) 99% of users do not know how much better many sites work with javascript disabled.
C) 99% of users do not know when a site shows an almost blank page with "javascript required" there will often be other sites that are more useful and work fine without javascript.
I am fairly sure I still have is wrong:
A) 99% of users do not know how to bookmark a link, use a web search instead and arrive at a scam/scalper site half the time.
B) 99% of users do not know that it is possible to configure a browser at all let alone why they would want to.
C) 99% of users do not know how to change the default browser and end up with the one provided by the most dishonest ad-seller. (dishonest can apply to ad or seller)
I am glad Microsoft have taken half a step towards sanity. I am glad a few of the 99% will still get some option to configure their browser towards security without making the all effort that the other 1% need to make.
Sometimes its best to talk things out with a trusted friend before posting on a blog.
Always is it best to talk things out with trusted friends on/in a blog before posting into blogs.
Words Create, Command and Control and Destroy Worlds. Share Strings of Them Wisely is Perfect Advice.
Something for the Weekend? .....Is Boris Prepared for Quantum Leaping into VAIOSystems? ARMed Virtually Advanced IntelAIgent Operating Systems.
A Complex Question to Satisfyingly Answer in Deed, indeed. :-) ...... in Order to be Fully Deserved of ITs Immaculate Aided Prizes/COSMIC* Surprises.
COSMIC* .. Control Of Secret Materiel in an Internetional Command
That's a colossal leap to make, Boris, .... but it is expected of you. Was there ever more Comfort Afforded by such Information for Future IntelAIgents.
Open Heavens Doors and All Paths from Almighty Destinations for Retracing Again Back Unto Source of Journey Supply Stretch Out before One and All.
You can think of that as one vast level virgin playing field where Global Operating Devices Mine and Mind Source of Future Supply for Supply of Future Source with Great Game Theatres of Remote Virtual Operation to Visit and Enjoy ...... Prime Ministerially Present for Universal Display.
Hmmm? I wonder what the Don, Dominic Cummings would propose to suggest be done pdq? Jump and be done with it, would be wise ... given the guaranteed result.
Now whether UKGBNI Secret Intelligence Services Provide All Vital Linker Services for Live Future Applications is something yet to be established here about there, but where there's a Will there's a Way via Ye Olde Sterling Stirling Stalwart Service Exercising and Exalting Royal Prerogative Terrained Territories.
And that's as much as needs to be said for now, and quite a great deal more than was expected to be planned and shared here no more than a hour ago. :-) Crikey. I've only gone and given myself too a heck of a lot to be thinking about doing. :-) How brilliant is that. To assemble all the bones of a Future Being.
And the just-wait-and-see-if-anything-novel-and-totally-unexpected-happens model of systems administrations security is catastrophically vulnerable to the 0day exploitations and exports of the-future-shape-of-intelligently-designed-things-to-come virtual machine which does not need nor feed dead wood input/established failing program output.
Failure to realise and make provision for that change of smarter driver emphasis, and especially so whenever the change is not an unshared top secret, surely has one having to accept, as unpleasant and inconvenient as it may be, that a lack of shared future intelligence has extraordinarily rendered one as practically ignorant prey to what is in stores to bring ........ and such is the endemic condition of the common systemic human failing.
And to deny it is a futile act of hubris in support of the blissfully delusional .... and quite worthy of the certifiably insane in extremis.
Hmmm? Seems like Special Deliveries have a Foreign Fan Deeply Embedded in the Wacky Wild West ............ Pentagon believes AI can predict world events.
Impertinent perfect common sense would dictate that rapid guaranteed mutually advantageous otherworldly progress is assured if there be the likes of JOINT* Friendly Competition in Operational Fields of Endeavour and Reward.
However, and it is to be gravely regarded, it is both a catastrophic intelligence and leadership failure to suggest there be any ACTive JOINT Enterprise Opposition ..... for such only quickly results in the Worthy Demise of the Prime Targeted Drivers of a Worthless Novel Enemy. I Kid U Not.
* ..... Joint Operations Internetworking Novel Technologies
Graham, that's totally off-topic!!!
Since you brought it up though:
- Javascript suuuucks - use NoScript!
- IR35 blows!
- systemd sucks and blows at the same time - sysv forevaaaah!
(Thanks for setting that up! lol)
Seriously though, I was trying to do my tax returns with that accursed IR35 overhead, but couldn't cos Javascript was disabled by NoScript. I tried to enable JS for the site, but systemd wouldn't recognise the command "systemctl enable javascript" which is rubbish! I knoooow sysv could eeeaasily do that!!!
And yes indeedy, way too many badly coded websites everywhere, which, if I *must* access, after the due dance with kittens above my head, I open Chrome and use that. JavaScript is a crutch, y'all scripkiddies everywhere, here, I said it. IMHO not better than Flash, as to adding value. Seldom, or ever, in any of the websites that I need, does it really improve usability, way to the contrary. Gaming? sure. Other addiction-inducing web content? why not! Standard informative, education, business sites, especially banking, glad when it's obvious that a good coder was involved and kept the pox away.
Using Edge without JS? anyone who has a bit of choice and has the very basic savvy will not use Edge, to gebin with. 2) those who still use Edge probably are the kind of people that use sites like Pinterest, which will not run without JS, so this block is a non-starter. I am starting to feel that this whole announcement is sort of a troll.
OTOH, for my work, sometime I must include JS, because I must. Makes for mixed feelings about it...
I bet disabling JIT for Microsoft's vscode, which runs in Electon (a branch of the Chromium browser designed to be a dedicated app), and comes in a snap package on Ubuntu, would make it unusable.
Interestingly, snap packages have the builtin ability to have a "sandbox" flag set on installation. This should keep the root file system safe (but not the user file system, I think).
Unfortunately, if the sandbox flag is set for the vscode code snap package, vscode won't work :(
-- What is JIT and why is useful?
A layman explanation: https://blog.bitsrc.io/the-jit-in-javascript-just-in-time-compiler-798b66e44143 . Basically, it detects which parts of the javascript are being run repeatedly, and creates on-the-fly compiled versions of that code. There are two levels of optimzation available depending on how much the code is run: "warm" and "hot".
-- Why is JIT vulnerable?
An experts explanation in a industry paper: https://www.ndss-symposium.org/wp-content/uploads/2020/02/24262.pdf
> Data-only attacks against dynamic scripting envi-
ronments have become common. Web browsers and other mod-
ern applications embed scripting engines to support interactive
content. The scripting engines optimize performance via just-in-
time compilation. Since applications are increasingly hardened
against code-reuse attacks, adversaries are looking to achieve
code execution or elevate privileges by corrupting sensitive data
like the intermediate representation of optimizing JIT compilers.
This has inspired numerous defenses for just-in-time compilers.
> Our paper demonstrates that securing JIT compilation is not
sufficient. First, we present a proof-of-concept data-only attack
against a recent version of Mozilla’s SpiderMonkey JIT in which
the attacker only corrupts heap objects to successfully issue a
system call from within bytecode execution at run time. Previous
work assumed that bytecode execution is safe by construction
since interpreters only allow a narrow set of benign instructions
and bytecode is always checked for validity before execution.
We show that this does not prevent malicious code execution in
practice.