For anyone considering taking the dive: NoScript takes a bit of time to get used to, but stick with it. You'll build up some things you are happy to whitelist, plus always have the backup option of disabling temporarily within a tab. In a week or two, your new workflow will feel completely natural.
Another user here, and things weren't so smooth. Everytime you reach a new website you'll need to change rules and reload it. It's ok if you're always going to the same sites, but if you always discover new places (and I believe HN participates in that) it's a constant weight to lift. Always useful, but still not natural IME.
It gets a lot easier if you only allow self-hosted JS. Block any JS loaded from a domain other than the one you are actually visiting. If the site I am visiting cannot function properly from self-hosted JS, then I move right along. It has to be a webiste I'm really interested in for me to even consider allowing 3rd party JS.
I've been whitelisting JavaScript since No-Script was new. I've used uMatrix recently but with it's end-of-development[0] I am considering switching back. I grew tired of having some shitty virus dropped to %appdata% for the N-th time loading a web page, exempli gratia [1]
It's gotten a lot more annoying the last several years with 5mb webpages. Backing up the whitelist saves a lot of time.
For perspective, I use 4 separate profiles (--user-data-dir) listed in descending order of how annoying they are for me to use.
1). School browser: Chrome + uBlock origin
2). Shopping/low security (when the payment processor is an iFrame and I don't want to refresh...): Firefox + uBlock origin + CanvasBlocker
3). General browsing like browsing Google or YouTube: Chrome + uBlock Origin + uMatrix
I've gone from 2 browsers (Firefox + IE6) to 4 browsers (Firefox, Chrome1, Chrome2, Chrome3). By 2030 I'll be running 16 browsers in a virtual machine on a remote server that I connect to with my browser browser.
I wish these extensions could integrate with Firefox containers. Work and schools can easily ask people to use new sites which can not avoid and in that case it's best to defer to later day or just not fight with extensions.
I'd recommend uMatrix instead. It largely (completely?) supersedes NoScript, and I find the UI to be much easier to work with. It also has better granularity of exactly what you want blocked/allowed.
It hadn't had a stable release for a year at the point when the repo was archived, because it's more-or-less feature-complete and has no major bugs. 90% of the open github issues [1] were enhancement or documentation requests.
No updates is not necessarily a bad thing. Sometimes things work well enough to leave alone.
I use umatrix all the time and there are multiple sites where it doesn't work. I think part of the problem is that not all requests are actually shown in the drop-down for you to enable them. Maybe a popup or frame causes umatrix to miss it etc. For a blocker where the default mode is "block everything", it makes sense that this failure mode would be the dominant..
Have you used the built-in logger to confirm that it's actually uMatrix and not another extension? I typically have this issue and then find that the fault was with a uBlock filter.
It does! I had to manually disable Javascript in UO settings, which solved the problem for me. FWIW, it doesn't solve the problem at scale, per opt-in / opt-out dynamics. It's a feature worth building into the browser, and setting it to disable JS by default. Make site owners ask for permission to use JS, and they better have a good reason.
Thanks. What is the most common user agent out there?
Sadly, this is of limited use. Defense against fingerprinting is like herd immunity. If everybody else already has a unique fingerprint, there is not much an individual can do to avoid being uniquely identified as well. At most one can spoof one other unique individual. Plus the EFF recommendation is 'latest Chrome on Windows' which is a moving target.
Would be nice if the EFF site in OP would recommend an agent id to spoof to, at least that would help building a small, but non trivial herd of indistinguishable users. And then a popular extension like uBlock Origin would track this agent id and set it by default for all its users.
I use a Chrome extension called "Quick Javascript Switcher". If you click the icon in the bar, it switches JS off/on for the domain - using Chrome's built-in allow/block list for JS.
I honestly could not live without it. At this point I have pretty much every news and recipe site on the internet blocked. Visiting a new site, as soon as I hear my fan spinning up I reach for the "no-JS" button and the page suddenly becomes responsive again.
I'm not quite to the "no JS as default" level but I'm close.
Google themselves admited they are an ad company rather than a search engine company. Why use a browser by a company where their main revenues are ads.
Random browsing => no javascript.
Play a browser game => javascript.
I have this today with Flash, would be nice to have it for all client-side code execution.