This isn’t a GQ-style “what button do I push,” but an IMHO “what’s your style” kind of question. I wonder what other people do and why.
For starters, I’m pretty privacy concious. Not that I have anything to hide or think anyone is interested in my special little snowflakedness, I just don’t want sites and companies to know who I am, where I’ve been, what I’m doing, etc. It’s a quixotic attempt to say the least. Anyway, that translates into being very stingy with what sites I allow to run code (and a lot of other paranoia-like practices).
On my personal computers, I typically don’t use the ‘allow x.com’ choice off the right-click menu–it’s almost always ‘temporarily allow’. That’s my most questionable habit. I permanently allow the Dope and a few other sites that I regularly visit and need functionality on, but for the most part I’ll ‘temporarily allow’, whether I think I’ll ever visit a site again or not.
In getting a page to work, I’ll start with the root domain, then if it still doesn’t work I’ll pick the next most likely sounding name to temporarily allow. I avoid allowing ad-sounding or incomprehensible domains.
If I get fed up or there’s too many to run through, I’ll usually just leave the site. On rare occasions I’ll ‘temporarily allow all’ if I know and trust the site or open the target in an unprotected session on a virtual machine.
I’ve also added several domains (Facebook, Twitter, adwhatsit etc.) to the ‘untrusted’ zone so they never show up.
So, is it rare to rely mostly on the ‘temporarily allow’ option? Absurd? What do you do?
I use YesScript instead, which is a blacklist of sites to block JavaScript for. I think this usage is possible with NoScript, but more complicated to setup. I only have maybe 5 or 10 sites listed on it, so it’s easier for me to add the sites to block, rather than the sites to allow. Although there are some sites I usually block, but often have to allow temporarily. YesScript doesn’t handle this well, as there’s no simple way to temporarily block or unblock a site.
When I tried NoScript many years ago, it seemed I was always having to click something or adjust some setting to get a site to work. Has this gotten better? Maybe I was just using it wrong?
You mention being privacy conscious and tracking concerns. I use DoNotTrackMe and/or Ghostery to prevent tracking. Does NoScript do something similar, or do you still need to use one of those?
I’ll use temporarily allow in waves to get functionality if something’s broken. If it’s someplace I expect to go to on a regular basis I’ll make it permanent. That still leaves a lot of scripting blocked on many places I visit. If someplace is skeezy in the first place… shields stay up and I just ignore what seems to be missing.
Blocking things like Flash and scripts and such used to work better, when it was less commonly used and mostly by sites that were either suspect or annoying. These days… I don’t see how the average user can navigate the web, usefully and without a lot of frustration, with scripting blocked. I’d class it as an outmoded form of protection (at least, on any wide scale).
I wish I trusted the anonymous browser mode more - especially after the latest FF hijinks with search engine changes etc. Does raise the question of where their tech-whoring stops…
I don’t use NoScript, because frankly that’s overdoing it. A huge amount of webpages use javascript for basic tasks, as you well know. And it’s not going to go away or stop being used anytime soon.
I use YesScript, in which if I believe I am going to a questionable site I simply blacklist it before clicking the link. I have never had a problem with javascript exploits while operating in this fashion.
I do, however, block flash by default with Flashblock with exceptions for places like Youtube and LiveLeak. Flash isn’t used nearly as often for basic website functions, just for annoying ads and embedded video (and flash ads are a big way to get malware). And I’d say that if a website IS totally built in flash and it’s not for a webcartoon series, it’s a piece of trash and you shouldn’t bother going back again anyway, so it’s no great loss the way blanket blacklisting all javascript is.
I blacklist everything and only temporarily unblock youtube/ytimg/the dope as necessary. If I need to log into an account linked to my real identity I’ll use a different browser.
Browsing with noscript is safer, faster and so much better. More people should do it.
When developing Web sites, making a site completely functional without javascript feels a lot like making a desktop application that still works fine without a mouse. It’s good design to make the features degrade harmlessly when javascript is unavailable and not terribly difficult, but it’s annoying having to accommodate people who defend their privacy by taking a machete to what is now a core component of the Web.
You can turn on Youtube’s HTML5 player instead of Flash - https://www.youtube.com/html5. Years ago you had to opt in. I’m not sure if that’s even true anymore.
WebM is some of the greatest stuff to happen to the web lately. I wouldn’t mind if Flash died a horrible death. Did not know about the Youtube support, thanks.
I use it much like you – allow temporarily. Often that makes the site work enough to see what I want. Otherwise, I often go to the Temporarily Allow All option.
What’s really annoying are the sites where that doesn’t work – one set of javascripts then includes another set of javascripts, which you then have to allow …
Which brings up an enhancement I wish the author of NoScript would include – some websites have pages of scripts listed, and I have to scroll way to the bottom to find the Temporarily Allow All option. I wish that could be moved to a static place on the first page, like just after the main site.
I have very few sites permanently allowed. I’d never do that for SDMB with the ad-based malware that creeps up. I use FF (not sure if it’s available in other browsers) and I keep the NS button in one of my toolbars, so I can do the “temporarily allow all this page” without right clicking and scrolling. It’s handily next to my reload button, so I click the S, then the arrow. Wait. Sometimes repeat.
So I mostly use it for some sites with known security issues, but I find it does make things go smoother and easier. I’m sure I’m missing out on some content here and there, but I’m ok with that. I used to use StumbleUpon a lot and I really liked having it running then because who knew where you would end up. I mean, if I stumbled to a random site with a crazy url like “we’re going to really fuck up your session.biz”, I knew I was as safe as I could be, ending up in internet bad neighborhoods.
I don’t think it’s necessary for everyone, but when you literally go to truly random pages selected for you by strangers, you feel better with an extra layer of protection.
Anywhere I go that I visit regularly and that actually NEEDS Javascript for functionality I actually care about (that latter is an important criteria) is permanently allowed. Otherwise, I’ve gotten very good at cherry picking which ‘sites’ to temporarily allow to get a page working. I almost never use “temporarily allow all” because that’s would enable Google Analytics and Facebook and all the other stupid sites that I deliberately want to block.
Kinda wish they had a “never allow” list.
If there’s a site that I REALLY can’t get to work, I’ll just copy-paste the URL into Internet Exploder.
I surf the web RDP’d into a virtual machine. Every time I exit, the snapshot image reverts to the original settings. It lives in a untrusted VPN and NATs to get outside. (In fairness, everything else on all my networks NATs to get outside.) Then I don’t worry about exposing anything; there’s nothing to expose. Any little infections I might pick up don’t survive the snapshot reset.