From an announcement to the bug-gnuzilla list today <<a href="https://lists.gnu.org/archive/html/bug-gnuzilla/2021-10/msg00001.html" rel="nofollow">https://lists.gnu.org/archive/html/bug-gnuzilla/2021-10/msg0...</a>>:<p>> The extension is[...] currently under the name of JavaScript Restrictor but it will be renamed to JShelter soon.<p>FSF funding announcement: <<a href="https://www.fsf.org/news/fsf-announces-jshelter-browser-add-on-to-combat-threats-from-nonfree-javascript" rel="nofollow">https://www.fsf.org/news/fsf-announces-jshelter-browser-add-...</a>><p>Discussed two days ago: <<a href="https://news.ycombinator.com/item?id=28736113" rel="nofollow">https://news.ycombinator.com/item?id=28736113</a>>
I’d love to see this kind of functionality built in to firefox. I’ve tried running without js entirely but too much of the web is broken. But a paired down js, that might work!
Is there any concern that limiting JavaScript's functionality could cause unexpected behavior? E.g., your credit card is charged upon checkout but next part of payment flow isn't triggered and your order isn't actually placed. Or, some DDOS protector thinks you are the same agent as everyone else using a similarly restricted config.
The protection levels and chosen restrictions for the default protection level 2 seem considerate [1]. Welcome back to the Web of 2003.<p>[1]: <a href="https://polcak.github.io/jsrestrictor/levels.html" rel="nofollow">https://polcak.github.io/jsrestrictor/levels.html</a>
One thing that I've been thinking is that in addition to restricting what APIs JS can access, browser could restrict <i>when</i> JS can run; in practice I guess that'd mean what events are allowed to trigger JS. Most importantly I'd block the stuff that runs automatically in the background, such as scroll/hover/timer events, and allow stuff that represents more explicit user actions such as form submit events.<p>Not sure if such thing would be really feasible without breaking half of the web, but I envision that it could bring nice perf improvements and block many sorts of nasty user behavior tracking
Would be nice if it spoofed the fonts API. It's a stupidly easy way to fingerprint a browser but it seems like no one has yet been interested in thwarting that.
I know this is a small (and probably petty complaint), but this website seems to have a fixed width larger than my screen, which means I have to horizontal scroll to read.
When I see this particular behaviour on sites, it usually lowers my opinion of the content I am reading and in this case a site about JS, I feel like there isn't an excuse for it.
Neat idea, though it's not really a sandbox or anything. It's doing a lot of clever renaming and wrapping. Which is all you could do as a browser extension. Still helpful, but the descriptions on the page make it sound like it's a deeper set of protections.