dooble icon indicating copy to clipboard operation
dooble copied to clipboard

Published 20 hours ago verified publisher icon textbrowser

Javascript Security Settings

Open BenWestcott opened this issue 4 years ago • 4 comments

Hello, and thank you for building this, first of all. It looks great. That said, coming from the feature-laden (but also slow and crash-happy) Otter browser, I miss a few things.

Primarily, for both security and performance, I would like to have Javascript disabled by default, but retain the ability to enable it for specific domain names (or even specific tabs for temporary changes).

If you're up for it, on top of that, it would be awesome if I could inject my own javascript before page load, though that's probably quite a bit harder to implement. This would allow for more advanced control, to disable or modify certain APIs. For example, there is no good reason for a website to know how charged my battery is.

BenWestcott avatar May 29 '20 23:05 BenWestcott

JS is enabled by default and will remain so because most (?) of the Web requires it. However, it can be disabled per tab (context menu on the tab bar). I will add a new entry to have it disabled / enabled per domain name.

The second feature may not be too difficult to implement as Dooble provides a means of injecting style sheets per site. Will look at this too.

Both features will be contained in a new JavaScript tool.

textbrowser avatar May 30 '20 13:05 textbrowser

Ah, sorry, I see I didn't write that clearly. I didn't expect you to change the settings Dooble ships/installs with, I instead meant that I would like to be able to configure that to be what happens normally when I load a page, but with the ability to override on a case-by-case basis.

I'm glad to see that it's already a feature I just missed, but I'm also looking forward to those more advanced tools. Thanks!

BenWestcott avatar May 30 '20 14:05 BenWestcott

Please see attached image. Screenshot from 2020-05-30 10-38-27 Notice the question mark image in the URL widget. If you click on that image, a popup menu is displayed. One of the options in the menu is to set a custom style sheet for the current URL.

Some of the interaction will also be changed as it's not apparent.

textbrowser avatar May 30 '20 14:05 textbrowser

When I tested this browser, I was able to disable javascript globally (in the settings), then for individual tabs, enable javascript.

publicsite avatar Mar 09 '22 04:03 publicsite

The ability to configure globally disable/enable JavaScripts is an important feature.

More advanced control is a good idea and I think the way to do should be to allow user JavaScript codes to override the web APIs somehow (which can be used in order to provide false data for testing purposes, too). Note that in some cases there may be multiple functions that do the same thing, so some way will be needed to affect multiple functions at once; I am not sure how.

Actually, better in my opinion would be disabling everything by default and only enable/override the desired features. (This should be implemented instead of "secure contexts", in my opinion.)

zzo38 avatar Jan 31 '23 06:01 zzo38

Disabling everything by default will persuade a new patron from enjoying Dooble because it would not work on any site. JS is essential everywhere.

textbrowser avatar Jan 31 '23 11:01 textbrowser

No it isn't. I work without JavaScripts and many times it works OK. However, as long as the end user can configure to globally enable/disable (and make exceptions) is good enough, regardless of what the default setting is that is included.

zzo38 avatar Jan 31 '23 17:01 zzo38

JS is optional.

If it's disabled by default, most people will drop dead and discontinue the Dooble. So, it's enabled by default to prevent despair. Anti-drop-dead people will discover Dooble and disable JS through exploration. Everyone wins and I'm not pounded by whiny people which I have been because it was once disabled by default.

textbrowser avatar Jan 31 '23 18:01 textbrowser

O, OK. You are right about that.

However, there is to be consider also what is quoted here:

If you're up for it, on top of that, it would be awesome if I could inject my own javascript before page load, though that's probably quite a bit harder to implement. This would allow for more advanced control, to disable or modify certain APIs. For example, there is no good reason for a website to know how charged my battery is.

To me, I think that would be a good idea. However, some features could also be set using a request/response overriding capability (which would make some other settings unnecessary, I think, since some of them would already be possible to be controlled in this way).

zzo38 avatar Jan 31 '23 19:01 zzo38

That was completed billions of years ago. Wait, let me read the release notes!

textbrowser avatar Jan 31 '23 19:01 textbrowser

Never mind, style sheets. The other thing is not very interesting. You should request another ticket.

textbrowser avatar Jan 31 '23 19:01 textbrowser

Closing because zero interest. Have fun and stuff.

textbrowser avatar Dec 09 '23 22:12 textbrowser