hackademix.net

As a result of recent changes in Xmarks you may experience some problems if you’re also a NoScript user.

Xmark’s login dialog and setup wizard ask you to “Allow JavaScript on login.xmarks.com”, or directly come out broken as HTML source. You cannot exit the dialog (the browser seems stalled), and even if you manage to, you discover that allowing login.xmarks.com or even the whole xmarks.com does not help.

The solution

1. Use the “Esc” key to exit the dialog
2. Click the NoScript icon and look in the “Recently blocked sites” submenu.
3. Select Allow googleapis.com, Allow xmarks.com or both (whathever you find there).

Alternatively, you can open NoScript Options|Whitelist and manually allow xmarks.com and googleapis.com. Looks like the Xmarks folks overlooked the need of allowing the latter.

Extensions developers!

More in general, extensions developers who need some web site to be allowed in NoScript for their extension to work, may want to use some code like this:

I’m quite surprised (albeit happy) to see a capitalist corporation actually contributing to social progress, and with a politically bold move, rather than with the usual hairy tax-deductible alms.

But after all Mozilla itself is a foundation, but a corporation too, isn’t it?

Interesting times we’re living in…

I’ve always considered myself a quiet non-believer, because atheism as a public militancy seemed useless to me, but now I’m changing my mind. The reactionary insolence of the catholic church needs to be answered with the insolence of lively intelligence, of reason, of the responsible word. We can’t let the truth to be offended everyday by the self-proclaimed representatives of god on earth, whose only real interest is power. The church doesn’t care about the destiny of souls, what it has always pursued is control over the bodies. Reason can be an ethics. Let’s use it.”

José Saramago, interviewed by Paolo Flores D’Arcais on the October 14th 2009 issue of “Il Fatto Quotidiano”.

Well, already a dozen requests today only.

Unfortunately, Safari 5’s support for extensions looks even more limited than Chrome’s.

So, no NoScript (nor FlashGot, nor any half decent ad blocker*, for the matter) as a Safari extension for the foreseeable future…

* Looks like ad blockers are actually possible, see Dave Hyatt’s comment below. Documentation of this feature is deeply buried inside a completely unrelated “Messages and Proxies” chapter, but whatever. NoScript is a very different beast though, and infrastructure to port just does not exist (yet?) :(

On his blog, Wladimir Palant complains about Google providing browser users with a not effective enough way to opt-out from Google Analytics.

Specifically, he doesn’t like how the Google Analytics Opt-out Browser Add-on actually allows Google Analytics scripts to load and run, just setting a global variable (

) in the hosting page which tells the code not to send back data.

This approach is inherently flawed, because the hosting page can easily force Google Analytics to run by simply overwriting the aforementioned

variable.

Worse, the

variable is automatically added to every single page you load. Hence, the fact itself you’re using this “opt-out” add-on can be easily detected if you keep JavaScript enabled, adding some extra points to your unanonymity score. Something like

can make a nice test to update the Panopticlick suite with, singling out privacy concerned persons.

However, the original sin is that the Google Analytics’ script still being downloaded and executed, and if you find this questionable from a security/privacy perspective, then the Google’s Analytics Opt-Out Browser Add-on serves no purpose.

Wladimir’s post initially advertised his own extension as a better solution, but later he had to retract:

Still, until Google can come up with something better I recommend people to use Adblock Plus with EasyPrivacy filter subscription, that’s the easy and reliable solution (check the update below).

Update: Sorry, that last part wasn’t entirely correct — EasyPrivacy doesn’t block Google Analytics script either, due to many websites being broken without it as mentioned above.

True, if you block Google Analytics’ script by using a proxy, a firewall, a host file or Adblock Plus with an ad-hoc filter, many sites are going to break because they depend on JavaScript objects provided by Google Analytics. They integrate GA calls within essential functionality, such as link and button event handlers or even initialization routines, and they fail more or less dramatically when the script is missing. Sad, silly but true.

This is no news (and no problem) at all for NoScript users, though: in fact, almost one year and half ago, this very issue prompted the development of NoScript’s Script Surrogates feature, which prevents the breakage by “emulating” the blocked script with dummy replacements. This means that NoScript users have Google Analytics blocked by default, with no site-breaking side effects.

So, until Google can come up with something better I recommend people to use the reliable and easy solution ;)