[liberationtech] Another loss for the Internet

[Mustafa Al-Bassam]

On 19/02/14 20:56, Mitar wrote:
> This change effectively allows a website to prevent bookmarklets from
> working. In essence, content providers can prevent users to execute
> their own bookmarklets and change how website behaves. It requires
> users to use extensions and not simple scripts.

Interestingly Mozilla Firefox has since 2009 allowed website which
implement Content Security Policy (CSP) to prevent users to execute
their own bookmarklets - albeit by mistake!
https://blog.mozilla.org/security/2009/06/19/shutting-down-xss-with-content-security-policy/#comment-105895

Before a bug fix, even Firebug was subject to CSP:
http://code.google.com/p/fbug/issues/detail?id=6291

Facebook have also implemented something similar (not using CSP) for
webkit browsers (namely Google Chrome). They are using the browser's
console API to prevent JavaScript execution in the developer console.
https://stackoverflow.com/questions/21692646/how-does-facebook-disable-browsers-integrated-developer-tools

On 19/02/14 23:39, Gregory Maxwell wrote:
> There are other ways of dealing with fringe liabilities, go insure
> against it— for example.  Shackling the users control of their own
> devices and their own experience on the internet shouldn't be an
> acceptable solution.
> 

The 5th principle of the Mozilla manifesto is "Individuals must have the
ability to shape the Internet and their own experiences on the
Internet". It will be interesting to see what may happen if web
specifications which contradict the principle are approved. I speculate
that it may be argued that the principle is still upheld as CSP can
trivially be disabled in the config.
https://www.mozilla.org/en-US/about/manifesto/

--
musalbas
https://twitter.com/musalbas