undefined | Better HN

0 pointskibwen8y ago0 comments

> Am I overreacting here?

Still skimming the paper, but the JS attack appears to be processor-intensive (please chime in if you interpret it differently!). Any widespread, indiscriminate use of such an attack in the wild seems like it would eventually be detected as surely as client-side cryptocurrency mining was discovered. If you aren't a valuable target, if you don't visit sites that are shady enough to discreetly mine bitcoin in your browser, and if you use an adblocker to defang rogue advertisers, then you probably shouldn't lose too much sleep over this (which is not intended to diminish how awesome (in the biblical sense) this attack is).

That said, if there were ever a time to consider installing NoScript, now's it: https://addons.mozilla.org/en-US/firefox/addon/noscript/

0 comments

jwilk8y ago

And if you're a web developer, now it the good moment to make sure your site works correctly when JS is disabled.

deckard18y ago

We'll have to dig a time machine out and go back to 1998 then.

I'm being a facetious ass. But you know I'm not wrong, either.

dmm8y ago

You are wrong. Install the NoScript extension and you can see your site without js. NoScript also allows you to selectively enable js per site on a temporary or permanent basis. This is the default way that I and many other people browse the web.

https://noscript.net/

6 more replies

Pyxl1018y ago

I browse with NoScript and quite a lot of the web works just fine, in fact. I can selectively enable JavaScript for sites that need it, and that I trust.

1 more reply

thisacctforreal8y ago

Yes please!

Long live progressive enhancement and graceful degradation.

At least until we get a JS interpreter with proper permission controls and sandbox limits. Something closer to how Lua is embedded sounds nice.

j / k navigate · click thread line to collapse