Pokemon Showdown and NoScript

obi

formerly david stone
is a Site Content Manager Alumnusis a Programmer Alumnusis a Senior Staff Member Alumnusis a Smogon Discord Contributor Alumnusis a Researcher Alumnusis a Top Contributor Alumnusis a Battle Simulator Moderator Alumnus
You can easily get Pokemon Showdown to work with NoScript without compromising your security on other sites.

First, you need to allow pokemonshowdown.com and http://localhost.

However, NoScript's ABE (Application Boundaries Enforcer) still does not let Pokemon Showdown work if you are trying to connect to your own private server (by default, http://localhost:8000). Fixing this requires a little bit smarter options. You can disable ABE entirely, or, preferably, go into your NoScript options, then Advanced->ABE. Where it says "Rulesets:", select SYSTEM, then at the beginning of the text box, add these lines

# Pokemon Showdown Exception
Site 127.0.0.1
Accept from localhost.psim.us

You can now connect to your own server without compromising the security offered by NoScript (except on the PS site, but you're already running their code on your system if you are running your own server).
 
Last edited:

Zarel

Not a Yuyuko fan
is a Site Content Manageris a Battle Simulator Administratoris a Programmeris a Pokemon Researcheris an Administrator
Creator of PS
It's a browser extension used by paranoid people. ;)

Well, it's quite a legit thing that improves your security in many ways, including, by default, disabling JavaScript entirely, and there's a lot of disagreement about whether or not it's overkill.

It's also the bane of web developers everywhere. >:(
 

obi

formerly david stone
is a Site Content Manager Alumnusis a Programmer Alumnusis a Senior Staff Member Alumnusis a Smogon Discord Contributor Alumnusis a Researcher Alumnusis a Top Contributor Alumnusis a Battle Simulator Moderator Alumnus
If you look at the security vulnerabilities in Firefox (and really any other web browser), you will find that almost all of them require scripting to work. NoScript turns off scripting for almost all sites by default, and you have to selectively allow which sites you want to allow to run scripts. It also has a few other security improvements.
 

verbatim

[PLACEHOLDER]
is a Smogon Discord Contributoris a Battle Simulator Moderatoris a Battle Simulator Admin Alumnusis a Community Leader Alumnus
Tell me, would this have any Skarmpiss implications. He's not going to get through to us in either way, but I'm wondering if this could eliminate the time our developers would need to put in to remove him.
 
It can't for a number of reasons, but most simply for the fact that NoScript is an optional browser addon. There's no way you can assume people will have it installed.
 

Zarel

Not a Yuyuko fan
is a Site Content Manageris a Battle Simulator Administratoris a Programmeris a Pokemon Researcheris an Administrator
Creator of PS
If you look at the security vulnerabilities in Firefox (and really any other web browser), you will find that almost all of them require scripting to work. NoScript turns off scripting for almost all sites by default, and you have to selectively allow which sites you want to allow to run scripts. It also has a few other security improvements.
If you look at the causes of deaths at swimming pools, you will find that almost all of them involve drowning. By making swimming illegal, you would reduce the mortality rate at swimming pools immensely.

Your argument, as well as the one above, suffers from the base rate fallacy - the idea that since most attacks are caused by JavaScript, you overestimate the proportion of uses of JavaScript that are attacks, to the point where you would disable it.

Also relevant: The most common attack vectors to computers tend to be Flash and PDF. NoScript blocks those, too, but it doesn't need to block my precious precious JavaScript in the process. D:

edit: In all seriousness I don't have that much against NoScript... it just makes my life difficult.
 

obi

formerly david stone
is a Site Content Manager Alumnusis a Programmer Alumnusis a Senior Staff Member Alumnusis a Smogon Discord Contributor Alumnusis a Researcher Alumnusis a Top Contributor Alumnusis a Battle Simulator Moderator Alumnus
I don't believe that most uses of Javascript are attacks. However, most uses of Javascript are not useful to me, and I actually prefer my browsing experience with NoScript.

I view NoScript the same as I view a firewall. Once upon a time, firewalls had all ports open, and systems administrators would check logs if something suspicious happened and block particular ports / IPs. Now we've realized that for security, that is a horrible idea, so modern firewalls close all ports and deny everything, and we specifically open up / turn on those services we want.

The only model of security that makes sense with today's software is to assume that all software is insecure, and trust as little as possible.
 

Users Who Are Viewing This Thread (Users: 1, Guests: 0)

Top