Bug #1114
[iceweasel] nonprism version does not work lots of websites
0%
Description
With the new nonprism version a lots of websites are not workings. A lot of them say that javascript is not working, but yet sometimes it works, sometimes it does not.
Exemple: https://citymapper.com/ does not load
Then Emulatorman told me to set dom.storage.enabled to true. And since it better, but not quite working.
Exemples:
- https://www.whatismybrowser.com/detect/is-flash-installed says that javascript is not activated
- https://framadrop.org/ does not succeed to upload a file
The first link is full of ugly and possibly dangerous javascript, but the second is only free software.
In an cases, with those settings the web is not usable. And there is no “desactive temporary” button like with noscript. And since the nonprism repo is above the libre one, there is no other way to keep a useable browser other that to ditch the nonprism repository.
Related issues
History
Updated by Anonymous over 7 years ago
- Related to Bug #1113: [iceweasel] reverts to default cookie/addon/popup lists on load added
Updated by g4jc over 7 years ago
Shaac wrote:
With the new nonprism version a lots of websites are not workings. A lot of them say that javascript is not working, but yet sometimes it works, sometimes it does not.
Exemple: https://citymapper.com/ does not load
Then Emulatorman told me to set dom.storage.enabled to true. And since it better, but not quite working.
Exemples:
- https://www.whatismybrowser.com/detect/is-flash-installed says that javascript is not activated
- https://framadrop.org/ does not succeed to upload a fileThe first link is full of ugly and possibly dangerous javascript, but the second is only free software.
In an cases, with those settings the web is not usable. And there is no “desactive temporary” button like with noscript. And since the nonprism repo is above the libre one, there is no other way to keep a useable browser other that to ditch the nonprism repository.
Several new patches were introduced do strengthen the [nonprism] iceweasel and protect the end user from security and privacy threats.[1]
As Emulatorman mentioned, the setting that causes cookie issues on several websites and HTML5 DOM issues is caused by "dom.storage.enabled = false". This setting that is recommended by Tails as well as WildersSecurity2. As a user, you can set this back to true and/or use a user.js file in ~/.mozilla to override permanently, including in future updates. However, it comes with many privacy and security concerns.
- City Mapper only seems to require dom.storage.enabled = true.
- The fact What is My Browser is unable to detect flash means that nonprism is doing it's job, sites should not be able to identify and exploit installed plugins. Javascript is enabled, but advanced querying, assembly language, and related low-level JS was disabled.
- FramaDrop uses websockets. Websockets have in the past leaked IP addresses. This would mean users of proxy/VPN/VLAN would have their IP exposed to the website. This setting is controlled by "network.websocket.max-connections". Setting this manually to "5" will be enough to use the page, at the expense of possible IP leakage.
Using [libre] will allow you more features at the expense of your-privacy. The real bug here may be figuring out how to not force users of [libre] upgrade to [nonprism], or to be able to more easily opt-out.
[1] Complete list of patches, includes anti-fingerprinting and data leaking resistance: https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel/vendor.js
[2] http://www.wilderssecurity.com/threads/dom-storage-browser-data-storage-that-can-bypass-the-intent-of-blocking-third-party-cookies.364838/
Updated by g4jc over 7 years ago
- Priority changed from discussion to privacy issue
- Status changed from open to not-a-bug
For users who wish to opt-out of privacy, you can consult user.js1, the following options are applicable for websites mentioned:
user_pref("dom.storage.enabled", true);
user_pref("network.websocket.max-connections", "5");
http://kb.mozillazine.org/User.js_file
Closing bug.