Project

General

Profile

[Idea]: JavaScript Migitation

Added by stein chen over 1 year ago

Own tests have shown that many benign websites rely on third-party domains for harmless passive content (e.g. stylesheets and images) only, so to vastly reduce breakage of those sites a simple filter rule, such as

*$third-party,script

would be sufficient. If this rule could be implemented as a "medium" entry in e.g. the ultra-privacy setting (between off|on) then users would be able to make exceptions via domain-settings for the odd website which needs 3rd-party JavaScript for login purposes. Having the "medium" setting activated would also reduce the potential damage done (fingerprinting, etc.) if users which are having trouble opening the bookmarks drawer and therefore have to use the 3-dot menu when they inadvertedly press the global JavaScript on|off button to the left of it.

Personally, i would very much like this to be implemented, but thought it to be politer hearing your opinion first before posting it as a feature request.

steinchen


Replies (1)

RE: [Idea]: JavaScript Migitation - Added by Soren Stoutner over 1 year ago

I generally like this idea. Below are a few thoughts that relate to it.

1. Android's WebView does not expose the information to block only scripts. Specifically, resource requests are not identified if they are scripts or not. This limitation could be removed with Privacy WebView in the 4.x series. There is some more information at https://www.stoutner.com/privacy-browser-android/filter-lists/.

2. There is a planned feature request for users to be able to add their own filter lists. See #181, and also #180 and #182. Once issue 1 above is resolved, users could easily add *$third-party,script to their personal filter list.

3. It would be possible to add a half-baked solution in the current code. Even though resource requests are not identified by type, the URL is provided. That URL can be checked to see if it is third-party and if it ends in .js. Not all third-party scripts are accessed with URLs that contain their names, and scripts do not actually need to have a name that ends in .js so this wouldn't catch everything, but it would catch a significant number of third-party scripts. This might be worth implementing before 1 and 2 have been fixed as it would be fairly easy to do.

I have created a feature request for item 3 at #1056. You can leave any comments there if you like.

    (1-1/1)