Worrying out loud about JavaScript


Too many scripts!

As I said with the Ghostery Firefox extension back in May (Ghostery Mozilla Firefox extension review), it bowls me over when I go to some sites to see just how much sneaky crap is going on behind the scenes, and how most people simply have no idea. With NoScript, I'm starting to see the same thing, and it's rapidly getting much worse.

NoScript of course is a simple extension that blocks all JavaScript from executing in your Firefox browser unless you specifically authorise it; in security parlance it's an "opt in" system. Above all others, it is the primary reason I use Firefox.

So many scripts!

The point of this post though is to do with the sheer number of JavaScript snippets that are attempting to run, even compared to a few years ago. When I started using NoScript I was lucky to see half a dozen JavaScript snippets attempting to run, thesedays it seems to be the norm.

Now having a trillion different things trying to run on a page perhaps is to be expected with so many external Web 2.0 services jostling for our attention all over the place now, and the number of scripts attempting to run doesn't necessarily translate to less security and privacy, but I am becoming increasable wary of the direction things seem to be heading.

Why Worry? (apologies to Chet Atkins)

More scripts are a problem. Each script introduces a new potential vector for attack, meaning the more we have the greater the surface area of the target we're wearing on our backs as we browse. Unfortunately as this progresses tools such as NoScript could potentially become less effective for the same reason the Windows Vista UAC system ultimately failed; as we start to drown in the sheer number of scripts, picking out legitimate scripts from sneaky ones is also only going to get harder which means many people will simply give up and allow all scripts again, defeating the purpose. As more pages start to depend on scripts to operate, so too will people's frustration.

I just shudder to think all that nonsense would be running unfettered in my browser if I didn't have an extension like NoScript for Firefox, and it makes me shudder even more that the vast majority of internet users don't use such a utility.

It also makes me wonder just how many of these scripts are really necessary at all and whether they're also systematic of a broken web architecture that's failed to keep up with what we've ended up using it for. As with Flash, will HTML5 help to alleviate some of the need for client side scripting?

Author bio and support


Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.