The recent flurry of reported Java exploits has incited a massive "Disable Java" campaign. This popular and practical advice is causing considerable confusion for Internet users who dutifully go to disable Java only to encounter something called JavaScript for the first time.
Before you disable JavaScript, understand the difference between Java Technology and JavaScript. Java is a programming language that you'd use to write a program, compile that program, and execute the compiled executable in a virtual machine. The risks from Java are currently very high, and disabling Java is recommended.
JavaScript is a hugely popular language you use to write an executable that runs on a browser. There are risks from executing every arbitrary script you may encounter while browsing, so you may wish to consider one of the several methods at your disposal to manage how the Safari browser will process JavaScript. Each of these has benefits and consequences.
How to Disable JavaScript from Safari Preferences
Like disabling Java, disabling JavaScript is straightforward:
Launch Safari
From the Safari menu, pulldown and choose Preferences...
Choose the Security tab
Uncheck the box labeled Enable JavaScript
Close the Preferences Window
Disabling JavaScript in this manner is a Draconian measure: all scripts from all visited web pages will be disabled. The benefit from choosing this method is that you will not execute any malicious script you might encounter, but you will also be unable to benefit from any helpful scripts that sites you trust use for interactive purposes (appearance, navigation, forms submission).
How to Disable JavaScript from Safari's Develop Menu
To use the Develop Menu, you'll need to add it to your Menu bar:
Launch Safari
From the Safari menu, pulldown and choose Preferences...
Choose the Advanced tab
Check the box labeled Show Develop menu in menu bar
Close the Preferences Window
To disable JavaScript from the menu bar, check Disable JavaScript. Disabling JavaScript will affect any page you have opened and all pages you subsequently visit until you enable Javascript by unchecking the same item in the Develop menu bar. Apple says that developers can use this feature to "experience how your website will behave for users who have disabled JavaScript." I've used the Develop menu when I'm browsing on a Mac that doesn't have my full kit of Safari extensions and I'm likely to visit an unfamiliar site. If you're a developer or if you are investigating suspicious sites you'll probably find many of the other features handy as well. If you do choose to use this method, you may want to define a custom Keyboard Shortcut. |
|
How to Disable JavaScript Using a Safari Extension
Another method of managing JavaScript is to install an extension that only permits browser content you trust to execute on your computer. NoScript does this nicely for Firefox but it's not available for Safari. The closest extension to NoScript that I have found to date is JavaScript Blocker.
You can see what scripts a web page asks your browser to execute by clicking on the JavaScript Blocker item in your Safari Toolbar. Mine is set to highlight a count of blocked scripts. Click on the item to see an explanation of how JavaScript Blocker is handling each script it has encountered (Allow/Block).
JavaScript Blocker applies its own whitelist and blacklist rules to assess the scripts your browser encounters when you visit a site. Clicking on any of the Allowed or Blocked scripts or frames to create a your own rule for scripts you encounter and you'll "train" JavaScript Blocker to know what content you trust. Visit the JavaScript Blocker page to learn about other features. I'm experimenting with it still so if you find anything really interesting please post a comment.
What scripts should I block?
I explained my strategy for choosing which scripts to trust in my blog post about NoScript and will repeat it here for convenience:
"If I'm familiar with the site and have had a positive experience, I'll trust the scripts associated with the site domain [Note: the screen capture of my site shows that JavaScript Blocker does this, too]. If I'm uncertain, I'll check the scorecard for the domain at MyWot and consider the reputation reported there. If I'm suspicious I submit the domain to VirusTotal and scan to see if the page contains malware. I may Google the domain: if it is a tracking company, I permanently forbid execution. "
How to Choose Your Poison
One important difference among all these choices is the degree of granularity each choice affords. You can wash your hands of all JavaScript you encounter, you can micro-manage, or you can let a third party choose for you. You may want to begin by toying with the Develop menu option to "experience" pages you visit with and without JavaScript. Download the Safari extension and see how your experience is affected with default settings. If you choose to keep the extension, be conservative as you add rules that allow scripts.
Even small efforts to enhance security can yield large rewards.
Comments
You can follow this conversation by subscribing to the comment feed for this post.