#Tag · bonfire.cafe

#KiwiBank internet banking now comes with DataFarming scripts from 4 different third parties;

* dynatrace.io
* googletagmanager.com
* launchdarkly.com
* qualitrics.com

That's on top of the third-party scripts for the internal notifications, provided by atomic.io.

That's on top of the fact that source code for KB apps is not available to customers under a free license, allowing them to rely on security-by-obscurity instead of security-by-design backed up by peer review.

(1/3)

#privacy

Grant_H

@grant_h@mastodon.social replied · last month

@strypey I'm a big fan of #noscript It breaks some payment sites, but a second go works.

d@nny disc@ mc² boosted

Federation Bot

@Federation_Bot · 2 months ago

#NoScript 13.5 is out, with many user experience improvements!

The most visible:
- new "cascade permissions" mode
- the onboarding / site classification behavior panel (in the picture)
- many #usability and #security enhancements regarding blocked content and click-to-play

The greatest thanks(giving) to the Open Technology Fund #otf for strenuously supporting NoScript during the past 2 years, especially through the Manifest V3 compatibility ordeal.

https://noscript.net/

A screenshot of the new NoScript Onboarding / Site Classification Behavior page.

Text:

**Site Classification Behavior**

Please select the way NoScript behaves when encountering unclassified sites. You can revisit this choice from the NoScript Options page and whenever you reset NoScript.

- STRICT / Default Deny

The traditional and most secure NoScript behavior: unclassified sites, marked as "DEFAULT", are NOT considered trusted. Potentially harmful capabilities, including scripts, are disabled. You can manually enable the sites you trust by opening the NoScript interface and marking them as "TRUSTED", or further customize their capabilities by selecting "CUSTOM". Cross-site protections are always enforced.

- EASIER / Auto

A compromise between security and convenience: the top level site, whose address is shown in the navigation bar, is automatically promoted to "Temporarily TRUSTED" unless already manually classified. 3d party sites still need to be classified manually. Cross-site protections are always enforced.

- EASIEST / Default allow

The most relaxed behavior: unclassified top-level sites are promoted to "Temporarily TRUSTED", and capabilities enabled for the top-level site are automatically cascaded to all its 3rd party unclassified sub-resources. Sites already classified as "UNTRUSTED" and "CUSTOM" are not affected. Cross-site protections are always enforced. — A screenshot of the new NoScript Onboarding / Site Classification Behavior page. Text: **Site Classification Behavior** Please select the way NoScript behaves when encountering unclassified sites. You can revisit this choice from the NoScript Options page and whenever you reset NoScript. - STRICT / Default Deny The traditional and most secure NoScript behavior: unclassified sites, marked as "DEFAULT", are NOT considered trusted. Potentially harmful capabilities, including scripts, are disabled. You can manually enable the sites you trust by opening the NoScript interface and marking them as "TRUSTED", or further customize their capabilities by selecting "CUSTOM". Cross-site protections are always enforced. - EASIER / Auto A compromise between security and convenience: the top level site, whose address is shown in the navigation bar, is automatically promoted to "Temporarily TRUSTED" unless already manually classified. 3d party sites still need to be classified manually. Cross-site protections are always enforced. - EASIEST / Default allow The most relaxed behavior: unclassified top-level sites are promoted to "Temporarily TRUSTED", and capabilities enabled for the top-level site are automatically cascaded to all its 3rd party unclassified sub-resources. Sites already classified as "UNTRUSTED" and "CUSTOM" are not affected. Cross-site protections are always enforced.

Federation Bot

@Federation_Bot · 2 months ago

#NoScript 13.5 is out, with many user experience improvements!

The greatest thanks(giving) to the Open Technology Fund #otf for strenuously supporting NoScript during the past 2 years, especially through the Manifest V3 compatibility ordeal.

https://noscript.net/

alcinnz boosted

R.L. Dane :Debian: :OpenBSD: 🍵

@rl_dane@polymaths.social · 4 months ago

Me in 2002: Dillo looks nice, and is way faster than Mozilla, but I don't think I can ever use it as my main browser.

Me in 2025: Dillo go brrrrr! XD

#No_JS_No_Problem! XD

#Dillo #DilloBrowser #NoScript #NoJS

R.L. Dane :Debian: :OpenBSD: 🍵

@rl_dane@polymaths.social · 4 months ago

Me in 2002: Dillo looks nice, and is way faster than Mozilla, but I don't think I can ever use it as my main browser.

Me in 2025: Dillo go brrrrr! XD

#No_JS_No_Problem! XD

#Dillo #DilloBrowser #NoScript #NoJS

Strypey

@strypey@mastodon.nzoss.nz · 5 months ago

@futuresprog
> Sign Green's petition to tell the Minister for Rail, Winston Peters, that you want passenger rail services reinstated!

Done. Let's get this to at least 10,000 signatures. Ideally we could get it to 50,000, which is about 1% of the population.

BTW Very disappointed to see the Greens *still* letting themselves be used by NationBuilder to DataFarm their supporters. But at least I didn't have to run the third-party scripts from a NB domain to sign the petition (thanks #NoScript)

F-Droid

@fdroidorg@floss.social · 5 months ago

Update #1: A user tracked this to having #PrivacyBadger or #uBlockOrigin or #Ghostery extensions installed.

Testing with disabled #uBO made Fennec load pages instantly, but let's be honest, we can't use the Internet without uBlock... 🙄

uBlock issue tracked in: https://github.com/uBlockOrigin/uBlock-issues/issues/3770

chico

@chicob@mstdn.social replied · 5 months ago

@fdroidorg
I'm having issues with #NoScript as well.

Sometimes I need to disable all three of them, sometimes it's just NoScript.

Strypey

@strypey@mastodon.nzoss.nz · 6 months ago

Thanks to the #NoScript plugin I use in my browsers, I just noticed that scripts from at least 2 Goggle domains and at least 1 Cloudflare domain (see screenshots) are being served to people visiting the official enrol to vote website;

https://vote.nz/enrolling/enrol-or-update/enrol-or-update-online/

In the context of the united front formed with the Orange Stalin regime by SillyCon Valley, I find this profoundly disturbing. Official websites should not be serving third-party scripts, especially from known #DataFarmers.

#elections

2 media