Tag Archives: JavaScript

I finally got around to submitting a Web Compatibility problem report on ComEd (the Illinois electric company) to Pale Moon Forum. (Microsoft-related)

I finally got around to submitting a Web Compatibility problem report on ComEd (the Illinois electric company) to Pale Moon Forum.

The next time someone says Microsoft loves open source, remind them that Microsoft doesn’t even use open standards. This is Chrome/Webkit nonsense.

According to Mozilla documents, it would seem at least one of these problems is occurring because Microsoft is using -webkit-autofill when there’s been an unprefixed version of this for years and “For the best browser compatibility use both” the Webkit prefixed version and the unprefixed version of “autofill”.

Microsoft’s sites are usually very poorly coded (like Outlook WebMail) and when the Illinois electric company, ComEd, switched to Microsoft Azure, they got this mess.

It’s amusing that Mozilla took Microsoft and Google bailouts to keep MDN going and then it points out that Microsoft’s behavior defies “best practices” when it comes to Web development. Of course it does. This is the company that brought you Windows.

Here’s my post to Pale Moon Forums:

I cannot log in to comed.com to pay my electric bill unless using a “GAFAM” Web browser since their move to Microsoft Azure started loading all kinds of junk from Microsoft domains. (Issue affects SeaMonkey as well.)

Works in WebkitGTK browsers, as well as Firefox and anything based on Chromium apparently.

1. Go to https://www.comed.com/Pages/default.aspx

2. Click “Sign In”

3. Instead of loading login page, you witness the site calling out to various Microsoft Azure junk like windows.net and onmicrosoft.com before eventually getting stuck on a spinny beach ball of death.

4. RUN! It’s the blob(.core.windows.net)! (Mandatory joke!)

Console output:

<div class="de1">*15:02:09.434 XML Parsing Error: no root element found</div>
<div class="de1">Location: https://secure1.comed.com/euazurecomed.onmicrosoft.com/B2C_1A_SignIn/client/perftrace?tx=StateProperties=eyJUSUQiOiIzYWY4OTRmMy02MGQyLTRkOGEtYTgyOS01OTkyMjFmNGFkOTYifQ&amp;p=B2C_1A_SignIn</div>
<div class="de1">Line Number 1, Column 1: 1 perftrace:1:1</div>
<div class="de1">&nbsp;</div>
<div class="de1">15:02:09.498 Error: Syntax error, unrecognized expression: unsupported pseudo: -webkit-autofill 1 jquery-3.4.1.min.js:2:13061</div>
<div class="de1">	h&lt;/se.error https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:13061</div>
<div class="de1">	PSEUDO https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:16127</div>
<div class="de1">	Ee https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:20291</div>
<div class="de1">	h&lt;/se.compile https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:21205</div>
<div class="de1">	h&lt;/se.select https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:22422</div>
<div class="de1">	se https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:6893</div>
<div class="de1">	h&lt;/se.matchesSelector https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:12631</div>
<div class="de1">	k.filter https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:24154</div>
<div class="de1">	j https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:24045</div>
<div class="de1">	is https://xzeepb2clookuppsta001.blob.core.windows.net/comed/src/js/jquery-3.4.1.min.js:2:24656</div>
<div class="de1">	setContinueDisabled https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:122:72</div>
<div class="de1">	checkForLoginCredentials https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:300:9</div>
<div class="de1">	startCheckingForLoginCredentials https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:313:9</div>
<div class="de1">	&lt;anonymous&gt; https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:372:9</div>
<div class="de1">	y https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:17:38593</div>
<div class="de1">	fireWith https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:17:39343</div>
<div class="de1">	b https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:17:77660</div>
<div class="de1">	t https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:17:83848</div>
<div class="de1">	dispatch https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:17:49789</div>
<div class="de1">	add/y.handle https://secure1.comed.com/euazurecomed.onmicrosoft.com/oauth2/v2.0/authorize:17:47826</div>

Pale Moon scares people away from the NoScript extension to protect “MoonChild’s” profits. Bonus: Corrosive people (boosted by Microsoft) in “FOSS” “Communities”.

NoScript’s legacy XUL version supports Pale Moon.

It works fine, but by default, “MoonChild” has set it to disable NoScript and warn the user that the extension may “cause issues”.

I went to install NoScript, the legacy XUL version, which works fine in SeaMonkey.

Pale Moon immediately disabled it and told me it was dangerous to use that extension because it might break Web sites.

Then when I clicked to know more about this issue, I was led to a page on Pale Moon Forums where “MoonChild”, the main developer, explains that he doesn’t want people coming to bitch to him if an extension that disables JavaShit breaks a Web site.

So it just turns it off and makes it sound like the extension is sketchy, and then you have to read that and say “Oh bullshit!” and turn the extension back on.

The cynic in me would say that since it breaks Pale Moon’s default start.me page full of ads and shit, he’s worried he may lose money if you don’t see that every time you load the browser.

So he is scaring people away from NoScript to keep the spice flowing.

It’s understandable that people who spend significant time and effort to create a program deserve to be compensated for it, but scaring the users of an extension that enhances Web browser security by reducing the Active Content attack surface (which is present in all Web browsers) is not the right way to handle this.

“MoonChild” doesn’t need to deal with his revenue problem by implying that NoScript is malicious software, which is dishonest to say the least. He should, rather, put a one time notice in the browser explaining that he needs revenue and that blocking the start.me page harms his ability to fund Pale Moon development, and then asking the user or offering to the user to whitelist that page, and ultimately respecting the user’s decision.

Free Software (as defined by the Free Software Definition in “The Freedom to run the program as you wish.”) is about respecting user choices.

If your program doesn’t respect what the user wants, it may technically fall under a Free Software license as source code, but it violates the spirit of the Free Software Definition.

When I went to learn more about the issue that Pale Moon causes for NoScript, I came to a different forum where I learned that after “MoonChild” made the childish decision about overriding the user’s clearly expressed intention of installing NoScript to protect them from Active Content, users flooded the Pale Moon forums to complain, and the result of the complaining was that NoScript is declared a “banned subject” on their forums, and threats of being banned from the Pale Moon forums by “MoonChild”.

I’m starting to seriously wonder about “MoonChild’s” version of the events that led to former Pale Moon developer Matt Tobin being expelled from the project. Tobin hangs out at the #SeaMonkey IRC room on Libera Chat, and he doesn’t seem like a bad/mean person to me. The description of a developer as a Prima Donna and a “Hitler”-like figure sounds more to me like “MoonChild” because of the ongoing NoScript debacle.

I would generally like to have another browser to recommend to people.

I’m going to hold off on Pale Moon. It does seem to have fewer Web compatibility issues than SeaMonkey, but there are still quite a few.

I noticed that the Palefills extension to fix some of these up also works in SeaMonkey (it’s in the manifest and makes GitHub and Gitlab and dozens of other sites work again in both browsers).

Typically, both browsers should appeal to people who don’t like the “Modern Web” very much and who think Firefox has gone completely off the rails, who are willing to deal with “Modern Web” breakage by deploying clever hacks and workarounds where needed (or just opening some Modern browser to pay their electric bill and close it again for a month), but the developers of Pale Moon seem to be difficult people, to put it mildly.

I’ve noticed that “MoonChild” has made Matt Tobin another “graylisted” subject on his forums. Either you say Tobin is Hitler or you disappear too.

“Communities” such as this are impossible and ultimately fail due to attrition.

They can be fun to make fun of, though, but you have to find your own platform to do it on.

For example, when MinceR in #Techrights IRC said, “Has he heard of the ability to change home pages?”, I said, “ALERT: Changing your home page is dangerous and may cause Pale Moon to become unstable, resulting in profile corruption. We cannot support this if you proceed. -M.C. Hitler”.

Gone are the days where we can have mild disagreements, or disagreements that aren’t even about Free Software, or even an off beat sense of humor, without the Cancel Mob trying to hijack everything and kill us with fire.

Recently, Matthew J. Garrett, or Matt GULAG as I call him on #Techrights IRC has been petitioning Roy to Cancel me over some personal beliefs that I have expressed that aren’t even that unusual. Roy hasn’t acted on that.

Matt GULAG’s career in software development is on a jack stand provided by Microsoft and other companies that are hostile to software freedom.

Unfortunately, when Freenode turned into The Pretender’s “Freenode Autonomous Zone”, people who are bad in other ways, like Matt GULAG and “MoonChild” (*cough* M.C. Hitler) (which MinceR refers to as “ManChild”) forked it and created Libera.Chat. Libera.Chat is awful because it’s been politicized by the Cancel Mob.

Freenode, before The Pretender took it over, had almost 100,000 users and was the place to discuss Free Software.

Libera.Chat only has about 49,000 users at peak hours, and it’s because they Cancel anyone who isn’t some total leftist freak-of-nature or at least a Microsoft toady that supports their sabotage efforts of GNU/Linux.

Libera.Chat has banned me like 7 times (sort of like Matrix.org has), but K-Lines don’t mean much of anything to me like they did in the days of dial-up or direct connect over my real IP which only changed every several months or so.

I change IP addresses and VPN providers every so often so good luck making any of that stick. I’m on Libera.Chat in several different ways all at once right now.

Eventually the bans don’t happen as often because you know which rooms (such as #linux and #libera) which have asshole moderators in them.

Microsoft has virtually succeeded in planting moles in every high profile place where “Linux” is up for discussion, and they’ve made sure that people who don’t like Microsoft and say why get banned. Even if it’s like, a one-liner and you’re not up on a soap box. Or you make a joke about something that really happened.

(Like the time Microsoft did the BIG BOOBIES debacle with the Linux kernel in their HyperV driver and then says all the perverts are in open source.)

The bans happened to me on Reddit and Libera, and whether the ban itself sticks or not, they know that you know that if you come back and criticize them again, the ban will just happen again.

This is part of their strategy to make it seem like everyone “loves” Microsoft or are at least indifferent.

When communities fall apart, and the center cannot hold, due to people like Matt GULAG re-defining “community” into something that creates proprietary “standards” that people have no control over, which lock them out of their computer (e.g., “secure boot community”), then projects like GNU/Linux become little more than another crappy “vendor UNIX”, which everyone hated due to the lock-in and incompatibilities.

Oh, you want to go make something else?

It won’t be compatible, it’ll probably have bugs if you try, but “you have every right to do that”, says Matt GULAG on his Twitter blog.

(In reference to IBM’s systemd. The creator of systemd now works for Microsoft. I’m assuming that Mr. GULAG was trying to bring his manure spreader of FUD to bear on Devuan GNU/Linux.)

Mr. GULAG has repeatedly defended Microsoft “Secure” Boot even though he himself admits that their Platinum-level OEM partner, Lenovo, has now sabotaged it to prevent Linux kernels from booting, either nearly entirely, on a laptop that was hard coded to only boot if the OS entry was Windows Boot Manager, or Red Hat Enterprise Linux, or on a very recent one that doesn’t enable the third-party certificate that his Linux implementation of “Secure” Boot needs to start up, and in which case Windows screws up your Bitlocker and potentially causes data loss on your Windows partition if you try to re-configure this.

I had another system, the Yoga 900-ISK2 that was sabotaged so badly that I filed a lawsuit against Lenovo in Illinois before they agreed to change it.

My reward? Mr. GULAG’s white glove character assassination, as usual. He only ever attacks defenders of Free Software, and people who write Free Software. He never attacks the rapists, stranglers, and pedophiles of Microsoft and their affiliates.

Peter Bright of Ars Technica? Posted pro-Microsoft articles constantly. Silence. (Tried to rape a 9 year old. Now in prison.)

Jeremy Soule of Microsoft Bethesda? Silence. (Raped a woman in the office, sent her a video of himself masturbating. Tried to force himself on an immigrant and threaten her immigration status if she refused. Quietly slinked away with no punishment.)

Alex Gravely of Microsoft GitHub? Silence. (Strangled an immigrant Latina woman and raped her. Court gave him a pre-trial diversion as pretend punishment.)

Rick Allen Jones? Silence. (Personal engineer of Bill Gates. Arrested in the Gates mansion after police found a Child Pornography dungeon in his house.) Silence from Mr. GULAG again.

I’ve never actually gotten him to offer me his opinion of those people or why we’re letting them form “communities”. The only community most Microsoft toadies should be in is that one under the bridge in Florida, obviously.

He only attacks defenders and writers of Free Software. He himself seems to be currently employed writing some proprietary software for these self-driving cars. Which don’t have a very good safety record. Many brands of these cars run over people and the company goes “Welp, thought she was a shopping bag! How little can we get the family to settle for?!”.

I’ve been driving for decades and haven’t managed to injure anyone. But money talks, and pretty soon we’ll all be forced onto the road with buggy/dodgy software and we all get to hope it doesn’t get in front of us and randomly slam the brakes or mistake us for shopping bags, because it will be the law.

But back to Microsoft… Microsoft has regrouped and changed its strategy, but the clear endgame is still against Free Software, and they have an army of useful idiots to help them.

Using difficult people as pawns to manipulate and pull apart communities is one of the center pieces of this strategy.

But as Robert Reich would say, “Don’t believe it!”.

If it seems like all you hear is good things about the corporate takeover of FOSS, it’s because they’re taking out all of their critics by any means necessary.

Don’t use Google Chrome. Bonus: Microsoft Azure Clown Computing

I’m sick of typing out why people should not use Google Chrome.

Instead, I can make this page to direct people to which sums up the major point.

Even before Chromium (the base of Chrome) gets rid of the ManifestV2 API for browser extensions next year (2023), it has already deleted APIs that ublock-origin and NoScript depended on for security guarantees.

ManifestV3 just makes things much worse, again.

AdGuard has already made a prototype extension that conforms to MV3, and it’s completely terrible according to users. (Warning: Google link) Ads load and then basically get hidden, so that they can spy on you regardless of whether you see them or not. And the rules limit makes it very hard to even do that.

Soon, the choice will be to use something like this or to not use Chrome at all.

Not using Chrome at all is a better option, and you can move your bookmarks and passwords over to another browser now while there’s still time.

I’ve never used Chrome for my default Web browser and refuse to install it on any machines where I need security. Google is the major threat to your security when you have their software on your computer.

Just having their repository allows them to install anything they want on your computer, which won’t complain about it even if it replaces your operating system files with malware, because you imported their signing key when you installed Chrome.

(This is essentially the same situation people who use Raspberry Pi OS face with the Microsoft repository, which is enabled by default.)

Chrome is too dangerous to use on the Web, for many reasons.

Primarily because the company that makes it is an ad tech that gives it away for “free” because it is malicious software designed to run other malicious software and display advertising.

Most JavaScript is malicious software and not permitted to run in my browsers due to NoScript.

Chrome isn’t actually a Web browser. it’s a host for malware written by an ad tech.

People sometimes confuse Chrome for a Web browser because it does do that too for legacy compatibility (from Google’s perspective), but that’s not really its purpose.

Chrome’s primary purpose is to run Google’s replacements for the Web (Google’s Web apps) and make it really easy for Google’s ad servers to display ads and spy on you, its second purpose is to corrupt the Web sites that are not Google’s so that you cannot access them without Chrome.

Most Firefox “Gecko” engine development these days is simply implementing “fixes” for things that always worked fine before which don’t now, because of Chrome and other browsers that use Chromium.

Google doesn’t care much if you use another browser based on Chromium because the rendering engine helps them gain market share and convince Web developers it’s not important to support Web standards anymore.

As long as Google keeps getting major Web sites to throw out Web standards support and stick a page in your face that says to get Chrome, or to just break down in other browsers completely so you’ll give up trying to use them, they win.

The point of Chromium isn’t to do open source to be nice. It’s to grind down every other company that makes a Web browser and get them to throw in with Google.

Recently, ComEd, the electric company in Illinois, redesigned their site. It’s very nasty now. Hosted on the Microsoft Azure Clown. Demanding Microsoft Clown JavaScripts. Sending code that only works in Chromium and confuses SeaMonkey. And one of my banks stopped working in SeaMonkey for the same reason.

In the late 90s and 2000s, most people saw Microsoft Internet Explorer as this completely miserable pile of shit you only opened when you had to when you got some stupid bank that said “Sorry, try again.” in a sane Web browser.

Today’s Internet Explorer is “Google Chrome”, Microsoft Edge, Opera, and Vivaldi.

We can only stop this is we refuse to use it.

We can get around some problems that shitheads running certain nasty Web sites create with trivial workarounds, so they load properly in Firefox/LibreWolf, and perhaps even SeaMonkey.

I don’t even use Firefox/LibreWolf as much as SeaMonkey. I might spin it up to deal with my bank or power company.

I figured out that ublock-origin and NoScript work fine in SeaMonkey, you just have to use “legacy” versions of the extensions. Oh well.

Microsoft can’t even make their own Web sites work reliably enough to consider using. Why are other companies coming to them for VMs and hosting?

For the last few weeks, I’ve been getting errors instead of Outlook WebMail to load in every browser, with NoScript on, off, or not even installed. Sometimes it works, sometimes it doesn’t.

IMAP in SeaMonkey Mail has worked throughout 99% of whatever’s going on in there.

Unfortunately, Microsoft is still a thing.

They threw in towel on trying to hijack the Web platform, and now in addition to their Edge browser being malware (just like all of their browsers have been), it props Google up as well.

I only use Outlook Mail as part of a general “I have all of the ‘free’ email addresses I can grab everywhere.” thing, so fortunately I wasn’t caused serious harm by the outages, but some people probably were.

Your bank and other Web sites are running creepy JavaScript that records your every action. NoScript can block that from running. Bonus: “Web Rot”

Your bank and other Web sites are running creepy “Session-Replay” JavaScript that follows you around the site recording your every movement.

You’re not “supposed to know” about this, but NoScript can block that from running.

I had a conversation with Matthew Garrett (alleged security person, actual drama bomb thrower) on IRC the other day about the “security” of JavaScript.

He had previously promoted it as a “great way of running untrusted code”.

Unfortunately, there’s just nothing secure about JavaScript. It’s the most widely abused platform in all of computing because almost everyone ends up running it without thinking of the consequences, and browsers which are instructed to do so, do it without bothering to allow any user control over the process in their default state.

If you can’t trust code, it’s better to not have it running at all.

Especially if it’s not doing anything to help you, and is proprietary.

Garrett said that “total sandbox escapes” where the program gets out of your browser sandbox and starts interfering with another tab or running arbitrary malicious code outside of any sort of confinement is “rare” to the point where someone would need to be “targeting you” and willing to blow a Zero Day exploit to do it.

That’s not exactly true as we see time and time again in the real world. But let us not hang ourselves up too long on what the Dalek of Social Justice has said.

If you drop a copy of O’Reilly’s book on Sixth Edition JavaScript from the kitchen counter, you’ll be walking with a limp for a while. Far from something that adds a little bit of “interactivity” to a Web page, JavaScript is a full blown computer programming language, Turing-complete, that can be used to write and run almost anything.

(I laughed the other day when I noted that someone had ported all of the LAME MP3 Encoder to JavaScript. It’s like, you could. But why? This is even dumber than online Office suites. People have spent years and lots of effort writing high performance encoding routines in C. Let’s make things worse and shove it to a Web server!)

Very little of what I do on the Web calls for something like JavaScript.

Nobody asked me if I wanted applications that run best on my computer, where I control them, where Big Brother is not looking over my shoulder replaced by some online version on someone else’s computer that I may or may not be able to access, and if I can, it’s watching what I do with it.

I don’t use Services as a Software Substitute where I can avoid it, and the ones I do use tend to be licensed under the GNU Affero General Public License, which makes them Free and Open Source Software.

If I don’t like someone’s Searx search engine, I can use someone else’s. If I don’t like a Matrix (protocol) chat server’s moderation, I can go use another one. If anyone wants to know what the source code does, or make their instance work differently, they can!

Web applications don’t have to be malicious. It’s just that many of them are.

In general, every way that Microsoft’s proprietary software could hurt you before is wrong with their Web applications, and then they’ve invented new ways of being nasty as well. So thanks, no thanks.

The people who invented the Web and the earliest browsers (such as Marc Andreeson, who said as much in 1994) wanted to keep it lightweight. The idea of JavaScript and even Cascading Style Sheets were controversial.

They knew that if these “features” were added, the consequences would be severe. And they are severe!

The Web has basically become Microsoft Windows. Bloated, fat, slow, and requiring a new computer every 4-5 years because of how painful things get. Features that are only useful to advertisers and marketers and spyware and other parasites being bolted on with no debate by Google and Microsoft, and tossed in by Mozilla and Apple “for compatibility”. Worse, it’s all impossible to secure and it’s rather embarrassing how complicated the standards are to get it to do much at this point. (There are starting to be chat servers implemented in GeminiSpace. But on the Web, you need to run a 600 MB tab for that!).

Worse, the Web rots. It’s become mostly a spam farm. Things disappear. Domain squatters come in. All your links go to a scam now. The entire thing has become so balkanized by megacorporations that come and go that if you use those “services”, every 10 years you have to figure out where all the people you used to talk to are.

We have to start backing away from standards that are hacked together by companies that won’t exist in a few years based on speculative business plans, many of which ought to be criminal.

Attackers take advantage of whatever they can.

They take advantage of poorly coded applications, gaps in security policy whether deliberate or accidental (some Windows malware includes the calculator from Windows 7 to get past User Account Control and evade virus scanners, for example), or software distributors like Apple which do not ship Web browser security updates quickly (giving the attackers time to study the fix and start exploiting a long time before most users are patched), or users who do not apply fixes.

Recently, Apple had to rush two emergency fixes for the kernel in Mac and iOS and for Webkit (Safari) for zero day vulnerabilities, and it’s hardly even like it’s rare for in-the-wild attack code to be targeting these platforms.

A while back, China attacked and targeted Uyghurs using a Safari vulnerability in the JavaScript engine. They’re not the only nation state that hoards software vulnerabilities. The US FBI and NSA are known to do it.

But aside from the sandbox escapes and arbitrary code execution are privacy problems that Tracking and Session-Replay scripts cause.

According to an article from VICE from 2017 (compacted with NewsWaffle and archived), at that time, 482 of the top 50,000 Web sites had JavaScript programs that followed the user around and recorded things that can even include keystrokes that aren’t “submitted” yet, and mouse movement patterns, and some even tie your activity to your real identity.

This is….super creepy and super sketchy!

Richard Stallman’s JavaScript Trap essay pointed out that many users end up running non-Free JavaScript programs without thinking much about it. I pointed out in an earlier post about how much I like the add-on NoScript.

In many cases, JavaScript is bloated, it’s spyware, it’s proprietary, and at the very least, it does something unwanted and aggravating, such as powering news site paywalls.

Firefox, some time ago, joined the majority of Web browsers in removing the user’s ability to turn off JavaScript globally, but NoScript can add this back. You can do whatever you want to. You can whitelist domains that are “Just Enough” to make the site work.

Even browsing in the non-default mode of “Temporarily Allow All Top-Level Domains” would provide a lot of protection from malicious, annoying, and bloated third-party scripts without forcing you to do too much manual intervention.

But it isn’t even like JavaScript engines really are that secure. By the time Mozilla finally does declassify security hole fixes for a Firefox release, you can go back and easily see that the majority of really nasty ones involved JavaScript, so the more domains you have it coming in and executing from, the more likely one is to come in and do _something_ nasty.

Odds approach 100% very quickly that your browser is running some kind of malware without telling you.

It’s bad enough when programs are “legitimate” in the sense that they are what they say they are, do something useful, and just won’t tell you how they do it. That’s what Stallman’s complaints were in The JavaScript Trap.

Unfortunately, there’s never been a more useful language to abuse the user with, or a better place to run it, than JavaScript in a Web browser.

Admitting defeat and turning it all on out of laziness simply ensures that you will be encountering serious malware at some point.

Unfortunately, the JavaScipt Problem is bigger yet than proprietary software and malware running behind-the-scenes. Some site owners set their Web sites to simply lock out people who are using Tor Browser, a VPN, or just simply have JavaScript turned off.

CloudFlare, a Web cancer that just keeps growing bigger, now hosts about 1/5th of major Web sites and about as many smaller ones too, and has convinced site owners to set “security” settings high to bounce people who fit these categories. I’m a VPN and Tor user with NoScript, so I run into problems with those “Checking your browser” pages somewhat frequently.

The other day, I was trying to look at an article on Bleeping Computer, and CloudFlare blocked me for using my VPN. So I opened up Opera, which I only occasionally use because CloudFlare blocks their Opera “VPN” (proxy) except in the EU for some reason, so I had to view the article in Opera and then close Opera.

JavaScript is a major annoyance on banking Web sites. One of the advantages of running NoScript and just whitelisting the top domain for the bank is that I use 6 banks, and they all work with just first party scripting turned on. The rest is Session-Replay, data analytics, and other crap and garbage.

Why do I want some creepy third-party script looking over my shoulder while I’m banking or using any Web site for that matter?

When I went to the United States Social Security Administration and the Internal Revenue Service, I even found Session-Replay scripts that they were attempting to load from third-party domains!

Once again, with these scripts excised from the site, the functionality I wanted to use still worked. With your Web browser’s default settings, spyware companies are recording your actions even on government Web sites that you have to use!

I counted at least six tracking companies monitoring your usage of the Social Security Administration’s site. They’ve even outsourced compliance with the Americans With Disabilities Act to a tracking company that records your session!

On top of the security and privacy concerns are more practical ones.

Some JavaScript malware is designed to commit theft of utilities. Some sites resort to “mining” cryptocurrency with JavaScript and WebAssembly (which NoScript also handles). This runs your CPU hard and causes your power bills to rise as your battery life falls.

Firefox, indeed most major Web browsers, now have some sort of anti-cryptomining feature, but nothing’s perfect. The less sites even have the permission the less chance they’ll get one of these loaded.

Tracking scripts also take resources to run. They slow down page loads and instruct your computer to do things. That’s not “free”.

The Web site owners don’t want to make a big fuss about all of this crap that they load, because when you investigate what the companies are telling them, it’s usually like, “We can help you monetize your site and optimize your search engine results and tell you all of these things about your visitors and what they do.”. Stealing your resources to benefit themselves is what they do.

How does this compare with ad blocking, or running add-ons such as Decentraleyes?

Ad blocking and Decentraleyes (which hosts commonly used Web frameworks locally to avoid Content Delivery Network requests) compliment NoScript and add to the privacy you can expect to gain from it.

uBlock-Origin (an ad and tracking blocker) is already a pretty big hammer. It will block ads and tracker lookups completely if they’re in your blacklists.

Unfortunately, many things are not included for whatever reason. They tend to give priority to not breaking anything on a site you could conceivably want to use, and there have been cases where tracking companies used the US DMCA to be removed from ad blocking lists. So it’s not bulletproof. There are too many things that slip past them, and that’s where NoScript comes in.

Between these things, you should be able to reduce your browsing data usage by about half.

There are a few other extensions I really like, such as Google Container. I don’t use Google very much (preferring the Free and Open Source Searx instances) and I’d like to stay logged in, but not outside that container (so Google can’t easily track me in general across the Web).

As I’ve increasingly focused on Gemini (such as Chilly Weather and the NewsWaffle on Gemi.dev) instead of the Web, I’ve found few cases where I actually need JavaScript to run to power something I want or need to do on the Web.

Ironically, writing this blog post about JavaScript requires me to run some JavaScript.

Even then, not all of the domains that the WordPress.com editor wants to load are necessary, and when I go to read blogs, I don’t need JavaScript at all. You don’t even need a graphical Web browser to read this. You can load it in text browsers that don’t even support JavaScript, with cookies turned off.

You should block most of WordPress’s JavaScript. I think most of it comes from analytics sites.

As I continue looking into an escape from the Web for most activities, I still occasionally need to watch a video or refill a prescription or make appointments with my doctor, or use some dumb banking site, and pay my taxes. Unfortunately, thanks to JavaScript being as widely abused as it now is, you need NoScript to make sure that these creepy programs can’t run.

I’m considering moving to a Gemlog instead of WordPress, but I’m going to have to learn how to do that so it may be a while. Eventually, I would like to leave an “I’m not here anymore. Use Gemini.” message on WordPress.

We’ll see when I manage to get around to this.

Until then, turn off your JavaScript, mostly. The Web is more pleasant when there’s less of it.

Although I mostly read news in the NewsWaffle, most of the annoyances and slowdowns (bloated JavaScripts, annoying videos, tracking) are gone from news sites with NoScript. Even when I load a CNN article with uBlock-Origin and NoScript, it comes up instantly. CNN is infamous for its terrible page load performance.

You can get NoScript here:

Firefox Add-Ons / Homepage

License: GNU General Public License Version 2

There is also a port of the extension available for Firefox on Android.

Unfortunately, iOS users will just have to live with JavaScript. The version of Firefox on iOS isn’t the real Firefox with Gecko. It’s a neutered version that has to use the same engine as Safari by diktat of Apple.

Unfortunately, this means Web browsers on iOS are insecure and impossible to fix, and issues such as the one Apple rushed an emergency fix for cannot be user-mitigated by blocking active content.

Lynx: For a Matthew Garrett-free Web browsing experience. Bonus: Which news sites are worth reading? (Not the Bill Gates ones.)

I tried to load Matthew Garrett’s Dreamwidth blog and Twitter account in Lynx. He says he’s an “Open Source” developer, but you can’t read anything he says without running proprietary software. (Which is just as well.)

Here’s his blog:

HTTP 401: Forbidden / I can’t read it because of ClownFlare demanding JavaScript, cookies, and images for a CAPTCHA puzzle.

And here’s his Twitter:

No Twitter because he’s on a platform that makes you log in and use JavaScript.

The modern Web is crap, because it’s unusable if you value your sanity. Mr. Garrett claims he’s a Open Source developer, but at the same time uses platforms that don’t even allow you to read his blog without proprietary software (JavaScript programs are usually proprietary software), images (bandwidth hog), and other nasties.

This highlights one important difference between Open Source and Free Software people.

Open Source people don’t give a damn about Freedom, to the point where they will demand that you use proprietary and nasty things just for their own convenience, like JavaScript, logging into Twitter, or Microsoft document formats.

Most of the time, if you load my blog on WordPress using Lynx or NewsWaffle, it works as well as can be expected. There won’t be any images with Lynx, but I wouldn’t use something that gives you 401 Forbidden, hard requirements on JavaScript, or has a ClownFlare blockade. NewsWaffle may not be able to format it 100% into GemText properly, but with more work to handle WordPress it can be adapted.

The only way to get at Twitter on Lynx seems to be to use something like Nitter, which mirrors Twitter and doesn’t demand that YOU use their proprietary JavaScript code. This way you can read people’s tweets as text if you like.

Here’s a Twitter account in Nitter on Lynx:

President Biden @potus on Twitter, through Nitter.it, in Lynx. I don’t know why you’d follow it, but it’s a government account subject to open records laws….yet it’s on Shitter and you can’t read it without JavaScript and you’ll get a demand to log in and identify yourself if you scroll. This is a big problem!

Many Web sites are difficult to use in Lynx on a good day, but I’m trying to drastically cut back on my dependence on graphical Web browsing because it’s so incredibly frustrating. When all you want to do is read some text, they waste time and screen space with JavaScript, images, videos, style sheets, and more.

If people have something important to say, they should be able to use their words and publish it in a way I can scroll through and get at the text.

I recently blogged about using NewsWaffle in GeminiSpace to get at the news. This often works out better than loading the Web version in Lynx, but Lynx is not totally useless, it just appears to be harder to get around in most of the time than turning a Web site into Gemtext.

How “news” works in America.

CNN is unusable in Lynx, but you lose nothing because it’s CNN. It works in the NewsWaffle though.

“These are the Amazon Products we love!” “January 6th Commission January 6th Commission January 6th Commission…..JANUARY 6TH COMMISSION JANUARY 6TH COMMISSION JANUARY 6TH COMMISSION!” -CNN News

I noticed NPR is total crap lately too. It works in the NewsWaffle and in Lynx though. I came across an article today that blames people for being poor and saying it’s all about their reckless spending on a can of coffee, living in a home, and subscribing to streaming.

They then proceeded to say you could listen to NPR by purchasing an iPhone and subscribing to their Spotify podcast.

I noticed that neither CNN nor NPR are listed in the NewsWaffle, but they work with it if you type them in manually.

Maybe the person maintaining it doesn’t want to get involved with the Amazon News and Bill Gates-sponsored White-shaming and poverty shaming that’s going on over at NPR. Who knows?

Much of “the news” is credibility zero these days, especially the ones you don’t pay for. I’ve noticed the ones that have their hands out and paywalls actually have better stories that usually have some point to them once I get past the paywall. NPR takes so much money from people like Bill Gates, and outfits like Microsoft, Amazon, Walmart, Koch Industries, Exxon, and more and gives them shout outs while you’re in the car using them for background music.

“This article about Amazon workers trying to organize brought to you by the company that is threatening them for organizing. Amazon…..When you need a tuba, some blu ray discs, and three packages of chocolate covered cherries at 4 AM….Amazon.”

I’m very concerned with what’s happening to “the news”, at least as much as “the Web”. They’re in a state of terminal rot and corruption to the point where it’s almost a gift that you can’t read some of this bullshit in a way that preserves some of your sanity.

For example, many are reporting that Senator Joe Manchin of Virginia is blocking a new spending deal because he’s “worried about inflation”.

What they’re not reporting on is that taxing the rich to reduce the federal deficit would LOWER, not increase, inflation. By refusing to tax the rich, the Senator from West Virginia is forcing the federal government to create and borrow money, INCREASING the inflation he is complaining about, to spare unproductive billionaires like Elon Musk, Bill Gates, and Warren Buffett from having to pay taxes while they get to play “Who can die with the most money and leave it to kids who never did a damned thing?” during the most screwed up time in American history.

Elon’s dad just had another one with a woman 45 years younger than him and then stated “the only point of being on Earth is to have kids”. That’s disgusting and the media praises this. Rich pervert, good. Rich people have better genes and make better babies. (sarcasm) If you do it, people will look at you like “Oh man! Sick!”

The only advantage I’m seeing here, other than the guy owns an emerald mine and can leave them money, is that when she’s up in the middle of the night she can change both their diapers at the same time.

More alarming, however, is the fact that there’s more “Billshit” than ever in the news this week.

A total “Billshit” overload.

I use the shorthand “Billshit” and “Bill Sez” to describe articles that Bill Gates has corrupted “the news” into publishing as puff pieces and reputation laundering. It’s almost always some sort of “Duh, that was obvious.” aphorism that for some reason managed to go on for 8 pages, or how he’s “giving away his money” even as he’s doubled it in the last ten years.

The latest Billshit that was in the “news” was about Gates “donating” $20 billion to his fake charity, the Gates Foundation. His ex-wife, Melinda, is still on the Board and in the Foundation’s name, even though she divorced him and cited his close friendship with Jeffery Epstein as one of the reasons. If Gates is donating $20 billion, it’s because he has a plan to make $40 billion with it.

One of the things Gates is doing that is finally gaining some attention, although not nearly the “red alert!” level of attention it deserves, is buying up American farmland and becoming one of the biggest absentee landlords to people who actually work the land. The only thing he does contribute is a loss to Americans in the form of higher grocery prices.

The rents that farmers have to pay to Bill acts like a “tax” that goes to him and increases the price of food, during an already terribly shitty year of high inflation and societal breakdown.

This isn’t philanthropy. It’s larceny. It’s one of the greatest thefts and crimes ever committed against the citizens of the world, which rely on American agriculture.

By paying the media to either not cover it or not cover it for what it is, he gets away with it.

Microsoft, the company that he co-founded, is embroiled in all sorts of scandals, including the Foreign Corrupt Practices Act, for a huge foreign bribery scandal going into at least the hundreds of millions of dollars.

They know exactly how to get away with crime.

Crime pays, but to get away with crime, you have to pay the people who enable you to commit the crime, who so seriously misinform and “un-inform” the public, who write tax codes and patent and trade laws, and who avoid passing laws to prevent things like parasites from owning farmland.

It’s tragic to see NPR turned into another crack den where the American public goes to be gaslighted. George W. Bush put them on this track when he passed a bill that mostly defunded them.

Countries that mandate that their news be neutral and 100% funded by tax receipts get something far less corrupt than the Corporation for Public Broadcasting.

And no, you made no difference to the level of corruption at NPR, at all, for donating $20 15 years ago to get a coffee mug. Sorry.

Shaming people for buying food and paying rent now!

Like these are luxuries that they should have “planned better” for when they can’t get a good job and the cost of living is going up twice as fast as the government admits to. Putting an adulterous pedophile associate on a pedestal and dubbing him Saint Bill of Gates.

Saint Bill of Gates has a reading list, and a solution for everything. The Billshit and the Bill Sez told me that he knows how to solve COVID and Global Warming. So it must certainly be true. Causing global hunger is “Philanthropy”. The Billshit said so. 😉

Firefox for Android no longer gives the user control over the browsing experience. Privacy Browser turns off JavaScript by default.

Firefox/Fennec for Android no longer give the user significant control over the browsing experience.

The browser that said it was on a mission to enable users to “take back the Web” has been falling from grace for years, starting with Digital Restrictions Malware module, Widevine, and then quickly moving to remove a lot of features and then relegating them to extensions, which were then neutered in order to make them easier to port over from Chrome.

But nothing has made me more upset than what has happened to Firefox (or Fennec, the Free and Open Source version) for Android.

Mozilla’s move to GeckoView rendered over 99% of all Firefox extensions incompatible with the mobile browser, including bypass paywalls, and there is no longer any way that I’m aware of to turn off JavaScript.

Major news Web sites like the New York Times are now unreadable in Firefox for Android because I can’t simply block their paywall like I can in my desktop browser, so I decided to try out Privacy Browser for Android, which is in the F-Droid store.

As the name implies, it disables many privacy invading Web technologies like JavaScript, by default, but you can turn them on again if you want to. In my experience, many news Web sites that load paywalls work in Privacy Browser because the JavaScript that enforces their paywall fails to execute. So now whenever I run into a paywall, I have to switch to a different browser.

Privacy Browser can work with the Tor network Orbot program, but it would be better to use Tor Browser itself if you need actual anonymity, as Privacy Browser relies on the Chromium WebView engine and that is proprietary and Google makes it very difficult to properly secure.

The Privacy Browser maintainers say that they plan on forking WebView into “Privacy WebView” and bundling it in version 4.0, which will definitely deserve another look.

Right now, I’m not using it expecting privacy. I’m using it because Mozilla is making Firefox impossible for the user to control at all, and in many cases I don’t want JavaScript on anyway.

JavaScript has utterly ruined the web, so why does Brendan Eich get congratulated? Bonus: Gemini rising.

Cory Doctorow has recommended the NoScript extension in the past. So do I.

For some years now, the web has been getting fatter and fatter. You’d be hard pressed to find anyone who thinks it’s doing much more for the user than it did 20 years ago (except maybe for native media codecs instead of Adobe Flash). Overall, it’s turned into less of a decentralized and open domain for the free exchange of ideas and code and people’s web logs, and more into a corporate shithole of Google, Facebook, and Cloudflare.

In Richard Stallman’s “The JavaScript Trap” essay, he wrote that “web apps” are a danger to computer users because they encourage the use of non-Free software when the user doesn’t consider the problem. That they are applications, that they are written in ways that obscure how they work, that they are copyrighted and proprietary, and…even worse, they run on someone else’s computer, and they can stop you from using them at all after you need them, and spy on you.

I’ve never, personally, seen anything dumber than an office suite you have to be online to use, and apparently enough people agreed with me even if they won’t just switch to LibreOffice, that Microsoft backpeddled from their previous position that there would be no more desktop program, and announced new versions of the desktop Microsoft Office.

In fact, Microsoft’s office programs today are a huge regression over even their own products 20 or 30 years ago, when there was no annoying product activator and this web app nonsense that requires you to be online to edit a document, and then be “encouraged” to save them all to your OneDrive account where the government has access to everything. Also, Microsoft is the second largest advertising network on the internet after Google, and now they can parse anything you’re stupid enough to save on their cloud. (Plus, if you want to use MS Office 95 forever because reasons, Wine runs it just fine.)

So, even if you care nothing for software freedom, you should care about how these applications are taking away control you used to have over your computer, even with a proprietary desktop program. I’ve used LibreOffice for a long time, and the biggest improvement to Chromebooks ever was when they got the Linux subsystem (with Debian) so you can actually run local programs and turn it into something more like a real computer.

As a software _developer_, it may make sense to reuse your existing knowledge of web programming to make desktop applications.

But as a user of applications, it’s extremely annoying to be “asked” to use this hulking monstrosity that runs on Electron (which does the same things, usually, as a browser tab in the browser I already use….hello Element!), or in some bloated browser app.

I have the programming manual for JavaScript 6th Edition from O’Reilly, and the book is easily larger than most books on C, so I don’t really get why people want to write applications in it, other than to foist something nasty on the user, which s/he cannot control.

Only optimized and native code runs with good performance, and native code can be portable code easily enough if you’re competent, write it well, and use common toolkits and abstraction layers (not all of which are particularly heavy). Even the best implementation of a JavaScript runtime can only come to about 70% of the performance of a native application, and if you make native applications, you can take pride in your work.

You can present it to the user and say “I thought enough of you to write this instead of making you use some horrible contraption that pegs your Core i9 and swallows RAM by the gigabytes.”.

Then there’s the issue of unnecessary and malicious scripting.

Many sites use their users. They run advertising scripts, and tracking scripts, and fingerprinting scripts to track them even if they clear cookies and run an ad blocker, and they even use scripts to make your computer mine cryptocurrencies for them. And even when JavaScript is not being used maliciously, it’s quite often pointless. It’s just bags and bags of garbage to add some bling bling. And if you run less of it, you’ll also be more secure, because some of that unnecessary code could even be exploiting a vulnerability in your browser engine.

Once you trust the top-level domain of your banks and some other stuff, you find that 90%+ of the scripts out there are avoidable, and that you’re so much less annoyed (after a while, you’ve whitelisted most of what you want and the workload goes down, and you can export your settings to load into other browsers) that it was worth the effort.

The totality of the JavaScript Trap isn’t just that most of it is non-Free and malicious, it’s that it’s just not good. As in efficient, desirable, anything positive.

I’ve also been perusing “Gemini Space”, which is an alternative to the web that was designed to be simple, lightweight, secure, and text-oriented. That’s not to say it isn’t beautiful. The LaGrange browser makes it pleasant to look at in various ways, including colorizing the text. It’s fun, and it’s a way to get past all of this web nonsense and back to hearing what normal people think.

Gemini is still small, but it’s growing pretty fast and there’s even web to Gemini relays so you can read the news and stuff more pleasantly.

LaGrange is pretty easy to install, since there’s an AppImage. Just drop it somewhere, mark it as executable, and double click.

(I checked the Flathub repo, but laughed, as it wanted over 700 MB of dependencies to bring in a 20 MB program.)

When you see people discussing Gemini, it’s with the point of view that you _can_ achieve the same things using a subset of the very bloated web platform, in a web browser, but they miss the point.

Sure, you can load just about any page that’s out there from back in the day, even in quirks mode, and have it work in a current web browser, but the browsers themselves have become an operating system. A bad one.

The corporate takeover that infested the web with these bloated and semi-incomprehensible “standards”, and DRM where you aren’t allowed to know how it works, and “HTTP” that’s now a binary protocol that would be difficult for something like Prixovy to rewrite, and HTTPS, which relies on signing certificates that are controlled by mega-corporations, is what got us here to begin with, and Gemini is a middle finger to all of this. It’s designed to be easy to learn, easy to share information with others by, quick to load sites, impossible to implement JavaScript-style malware in, and to resist what happened to the web.

In the late 1990s, the web was, relatively, a beautiful place, compared to now. If you wanted to blog, you’d just write some simple HTML template and then add pages to your site. I even had a website. The browsers to handle all of the W3C standards could be had in as little as <1.5 MB. At one point, Opera (then a different browser and company) fit onto a single floppy disk. They were a portable app before it was cool.

Firefox today requires about 1.4 GB of space between its files and the cache it uses. (In floppy disk terms, about 1,000 of them.)

Worse, Microsoft is porting their shitty borderline larcenous ripoff of Chrome to Linux, which gets you Microsoft spyware instead of Google’s. Well, that’s better. Plus, it’s missing the only comprehensible reason anyone would ever open it on Windows. It can embed the zombified guts of Internet Explorer for some corporate intranet site that falls apart in anything else because the consultants who understood how it works are retired or dead now.

Over on Windows, the browser situation is just a self-parodying gag of how Microsoft the company has lost relevance and is falling apart and their only selling point is compatibility with the stuff produced their monopoly trash from 20 years ago.

Windows 11 is a lot of things. Svelte and modern are not among those things. It’s got hundreds of GB of trash out of the gate (and not counting trickery involving file system compression) and no useful software included. Just trials and freemium crap. They give the illusion of simplicity by taking buttons out of the file manager.

Nobody who actually isn’t paid to fix problems with Windows or say they love Windows has anything good to say about it. When I do click on ZDNet, I wish I hadn’t.

It’s said that when someone once asked a tomato farmer why the tomatoes he grew for giant supermarket chains tasted bad, he replied, “They don’t pay me a penny for flavor.”. Microsoft pays ZDNet to regurgitate scripts that were handed to them, to say things without making it obvious who is saying them. It’s a form of information (or in this case, disinformation) laundering.

In fact, most of what real people are saying about Windows 11 would get you fined as-if you caused a nuclear power plant to melt down if you said them on the radio.

In closing, the tl;dr version is modern software is hell. Don’t be like those people. Please value the people who will have to use what you create and make something you’d be proud to use yourself. Don’t be like Brendan Eich. The homophobe who ruined the web.