webmacs icon indicating copy to clipboard operation
webmacs copied to clipboard

Published 20 hours ago verified publisher icon parkouss

Feature request: Noscript-like javascript whitelisting

Open TLATER opened this issue 5 years ago • 4 comments

I find myself using firefox for some sites still because of the unholy amounts of entirely useless (and sometimes actively malicious) javascript they load - could something like noscript be implemented?

I figure it might be possible through the current adblocker, but I've not read far enough yet. It certainly would need additional commands to override specific rules per-page, since setting up proper whitelists involves a fair bit of trial-and-error from the user's side.

TLATER avatar Feb 01 '19 21:02 TLATER

I now have a proof of concept for this here.

A couple of notes:

  • It doesn't seem too easy to adopt the existing adblock bindings. Looking at brave's source they have some other code to handle this, but I can't find it anywhere in their repository... I'd love to know where to find their code if anyone knows.
  • The POC uses pure python. I suspect this may be performant enough for a whitelist-based approach.
  • QT has a really nice API for this (see POC). We can block things besides javascript, allowing for other features much like noscript.
  • The current approach can't block in-line javascript. This is a massive flaw and would need to be addressed before even thinking about merging.

I suspect @parkouss won't be particularly happy with my current approach, comments and ideas are welcome :)

TLATER avatar Feb 23 '19 01:02 TLATER

I quickly looked at your branch, it seems relatively clean and ok to me! If you want to bring such a feature (whitelist domain list option for javascript enabling) to webmacs master, I'm not against it - since it adds some value easily and won't go in the way of users that do not want something like that.

Other approaches for the no-script feature I can think of:

  • trying to use Qt api to disable javascript. This is currently probably the best approach I think, as it should also disallow inline js. But as there are a few things that requires js internally for webmacs to work, this is probably harder to implement - and I am not sure if feasable at all (it should, though with a correct use of js worlds if my understanding is correct).
  • write the rules using the adblock list format (https://adblockplus.org/en/filters). We could add support for file:// scheme for the adblock-urls-rules variable, and so it would be possible for the user to keep its own blocking rules (such as excluding javascript). It is nice as it is not addy addition to the current api of webmacs (using a variable that does existst already), but it is restricted to what is possible to write with the adblock list syntax (we can't use QWebEngineUrlRequestInfo.ResourceTypeScript for example, just rely on some extension).

Note the options can coexists. I am thinking that being able to use local adblock rules would be nice anyway.

parkouss avatar Feb 24 '19 11:02 parkouss

@parkouss Personally, I struggled using adblock filter rules to do proper javascript filtering - I'd always end up executing some scripts I didn't want to, and it's inherently impossible to disable inline javascript with them. I'd also like to allow filtering based on GNU javascript labels, which afaik is currently impossible with adblock rules.

For my purposes I think a polished version of my current approach + the qt api (perhaps disable js in html loaded from a non-whitelisted domain?) would make the most sense - but I'm obviously still a little away from that ;)

I do agree that custom adblock rules would be very nice, should that perhaps be a separate issue?

TLATER avatar Feb 25 '19 01:02 TLATER

@TLATER thanks for sharing your experience, it makes sense. I'll create another issue for the custom, local adblock rules support.

parkouss avatar Feb 25 '19 04:02 parkouss