1. Welcome to Smogon Forums! Please take a minute to read the rules.
  2. Remember to check the Simple Questions/Simple Answers , Suggestions , Bug Reports and Technical Support threads before posting. If you have something that warrants extended discussion then post a thread, but when in doubt, please use an already existing thread
  3. New to the forums? Check out our Mentorship Program!
    Our mentors will answer your questions and help you become a part of the community!

Pokemon Showdown and NoScript

Discussion in 'Pokémon Showdown!' started by david stone, Jun 22, 2012.

  1. david stone

    david stone Fast-moving, smart, sexy and alarming.
    is a Site Staff Alumnusis a Smogon IRC AOp Alumnusis a Programmer Alumnusis a Super Moderator Alumnusis a Researcher Alumnusis a Contributor Alumnusis a Battle Server Moderator Alumnus

    Joined:
    Aug 3, 2005
    Messages:
    5,150
    You can easily get Pokemon Showdown to work with NoScript without compromising your security on other sites.

    First, you need to allow pokemonshowdown.com and http://localhost.

    However, NoScript's ABE (Application Boundaries Enforcer) still does not let Pokemon Showdown work if you are trying to connect to your own private server (by default, http://play.pokemonshowdown.com/~~localhost:8000/lobby). Fixing this requires a little bit smarter options. You can disable ABE entirely, or, preferably, go into your NoScript options, then Advanced->ABE. Where it says "Rulesets:", select SYSTEM, then at the beginning of the text box, add these lines

    # Pokemon Showdown Exception
    Site 127.0.0.1
    Accept from play.pokemonshowdown.com

    You can now connect to your own server without compromising the security offered by NoScript (except on the PS site, but you're already running their code on your system if you are running your own server).
  2. Arcticblast

    Arcticblast Winner of the Biggest Dork Competition 2014
    is a Forum Moderatoris a Community Contributoris a Tiering Contributoris a Battle Server Moderator Alumnusis a SPL Winner
    Moderator

    Joined:
    Nov 29, 2008
    Messages:
    5,225
    I'm sure this is awesome, but forgive my ignorance... What exactly is NoScript?
  3. Zarel

    Zarel Not a Yuyuko fan
    is a member of the Site Staffis a Battle Server Administratoris a Programmeris a Pokemon Researcheris an Administrator
    Creator of PS

    Joined:
    Aug 16, 2011
    Messages:
    1,701
    It's a browser extension used by paranoid people. ;)

    Well, it's quite a legit thing that improves your security in many ways, including, by default, disabling JavaScript entirely, and there's a lot of disagreement about whether or not it's overkill.

    It's also the bane of web developers everywhere. >:(
  4. david stone

    david stone Fast-moving, smart, sexy and alarming.
    is a Site Staff Alumnusis a Smogon IRC AOp Alumnusis a Programmer Alumnusis a Super Moderator Alumnusis a Researcher Alumnusis a Contributor Alumnusis a Battle Server Moderator Alumnus

    Joined:
    Aug 3, 2005
    Messages:
    5,150
    If you look at the security vulnerabilities in Firefox (and really any other web browser), you will find that almost all of them require scripting to work. NoScript turns off scripting for almost all sites by default, and you have to selectively allow which sites you want to allow to run scripts. It also has a few other security improvements.
  5. verbatim

    verbatim Red like Roses
    is a Battle Server Administratoris a Smogon IRC AOPis a Forum Moderator
    Moderator

    Joined:
    Jun 11, 2011
    Messages:
    1,328
    Tell me, would this have any Skarmpiss implications. He's not going to get through to us in either way, but I'm wondering if this could eliminate the time our developers would need to put in to remove him.
  6. jumpluff

    jumpluff *red Admiral
    is a Forum Moderatoris a Site Staff Alumnusis a Super Moderator Alumnusis a Smogon IRC SOp Alumnusis a Researcher Alumnusis a Smogon Media Contributor Alumnusis a Contributor Alumnusis a Battle Server Moderator Alumnus
    Moderator

    Joined:
    Aug 22, 2008
    Messages:
    6,140
    It can't for a number of reasons, but most simply for the fact that NoScript is an optional browser addon. There's no way you can assume people will have it installed.
  7. Zarel

    Zarel Not a Yuyuko fan
    is a member of the Site Staffis a Battle Server Administratoris a Programmeris a Pokemon Researcheris an Administrator
    Creator of PS

    Joined:
    Aug 16, 2011
    Messages:
    1,701
    If you look at the causes of deaths at swimming pools, you will find that almost all of them involve drowning. By making swimming illegal, you would reduce the mortality rate at swimming pools immensely.

    Your argument, as well as the one above, suffers from the base rate fallacy - the idea that since most attacks are caused by JavaScript, you overestimate the proportion of uses of JavaScript that are attacks, to the point where you would disable it.

    Also relevant: The most common attack vectors to computers tend to be Flash and PDF. NoScript blocks those, too, but it doesn't need to block my precious precious JavaScript in the process. D:

    edit: In all seriousness I don't have that much against NoScript... it just makes my life difficult.
  8. david stone

    david stone Fast-moving, smart, sexy and alarming.
    is a Site Staff Alumnusis a Smogon IRC AOp Alumnusis a Programmer Alumnusis a Super Moderator Alumnusis a Researcher Alumnusis a Contributor Alumnusis a Battle Server Moderator Alumnus

    Joined:
    Aug 3, 2005
    Messages:
    5,150
    I don't believe that most uses of Javascript are attacks. However, most uses of Javascript are not useful to me, and I actually prefer my browsing experience with NoScript.

    I view NoScript the same as I view a firewall. Once upon a time, firewalls had all ports open, and systems administrators would check logs if something suspicious happened and block particular ports / IPs. Now we've realized that for security, that is a horrible idea, so modern firewalls close all ports and deny everything, and we specifically open up / turn on those services we want.

    The only model of security that makes sense with today's software is to assume that all software is insecure, and trust as little as possible.

Users Viewing Thread (Users: 0, Guests: 0)