Shaac wrote:

With the new nonprism version a lots of websites are not workings. A lot of them say that javascript is not working, but yet sometimes it works, sometimes it does not.

Exemple: https://citymapper.com/ does not load

Then Emulatorman told me to set dom.storage.enabled to true. And since it better, but not quite working.

Exemples:
- https://www.whatismybrowser.com/detect/is-flash-installed says that javascript is not activated
- https://framadrop.org/ does not succeed to upload a file

The first link is full of ugly and possibly dangerous javascript, but the second is only free software.

In an cases, with those settings the web is not usable. And there is no “desactive temporary” button like with noscript. And since the nonprism repo is above the libre one, there is no other way to keep a useable browser other that to ditch the nonprism repository.

Several new patches were introduced do strengthen the [nonprism] iceweasel and protect the end user from security and privacy threats.[1]

As Emulatorman mentioned, the setting that causes cookie issues on several websites and HTML5 DOM issues is caused by "dom.storage.enabled = false". This setting that is recommended by Tails as well as WildersSecurity². As a user, you can set this back to true and/or use a user.js file in ~/.mozilla to override permanently, including in future updates. However, it comes with many privacy and security concerns.

- City Mapper only seems to require dom.storage.enabled = true.
- The fact What is My Browser is unable to detect flash means that nonprism is doing it's job, sites should not be able to identify and exploit installed plugins. Javascript is enabled, but advanced querying, assembly language, and related low-level JS was disabled.

- FramaDrop uses websockets. Websockets have in the past leaked IP addresses. This would mean users of proxy/VPN/VLAN would have their IP exposed to the website. This setting is controlled by "network.websocket.max-connections". Setting this manually to "5" will be enough to use the page, at the expense of possible IP leakage.

Using [libre] will allow you more features at the expense of your-privacy. The real bug here may be figuring out how to not force users of [libre] upgrade to [nonprism], or to be able to more easily opt-out.

[1] Complete list of patches, includes anti-fingerprinting and data leaking resistance: https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel/vendor.js
[2] http://www.wilderssecurity.com/threads/dom-storage-browser-data-storage-that-can-bypass-the-intent-of-blocking-third-party-cookies.364838/