Previous month:
July 2010
Next month:
September 2010

Safer Browsing with Google Chrome - No JavaScript (Unless Authorized)

One of the lessons learned from attending DEFCON#18 was that as a FireFox user that running NoScript was a highly recommended tool. Many of the presenters who were talking about Internet browser vulnerabilities mentioned NoScript as a defensive tool to help mitigate the risks they were discussing in their presentations.

While I still use Firefox with NoScript a lot, I have also been using Google's Chrome browser more and more running on Mac, Windows & Ubuntu.  There is no NoScript version for Chrome but you can turn off by default JavaScript via:

  1. Options (aka Preferences)
  2. Under the Hood tab
  3. Privacy > Content Settings ... button
  4. JavaScript tab
  5. Do not allow any site to run JavaScript
  6. Close button

Once you have turned it off, there will be a 'no JavaScript icon' that will shows up in the Link Box on the far right-hand side of the box on the first site you hit with JavaScript:

Chrome-no-script-icon  

You can now click on that icon and allow the specific sites you frequent and trust to be in a trusted list. And you'll need to reload the page to get the exception registered so that the page will display and function as the publisher expected.  Here is what Hulu.com says if you go there without JavaScript turned on:

Hulu-no-java-script-message

IMHO, this is better than running JavaScript on every site you go to by default.  The best security practice is now to only allow JavaScript on sites you trust and know.  Not perfect but better than the alternative.

P.S. If you use Chrome's Incognito feature with JavaScript turned off then there appears to be no way to go turn on JavaScript for specific sites in Incognito mode except for those already in your approved list.