Can I avoid javascript on the forum?

Although discourse does require javascript to function, it allows non-js users to interact with it (that way only for the registration is JS ever needed). See:

You can also possibly install a discourse client (mobile app). Currently as I see it, only discourse is FOSS and has a decent UI for modern user’s expectations.

Anything less than this would certainly exclude most non-technical users. That’s how things have been before discourse came along where only mailinglists were available. My hope is that now a there is a lower barrier to entry for new users, even if that’s at the cost of running JS (if one is not willing to use it via mailinglist mode).

  1. That’s why we only had mailing lists for many years. The forum is just an extra venue on top of those. If you don’t want to use it, you don’t have to.

  2. As deeplow pointed out, you can also just use mailing list mode with this forum. Then you never have to use JS (or even a web browser). There are frequent posters here who interact with the forum purely via email.

  3. As deeplow pointed out, if there were a better forum option, we would consider using it, but there doesn’t seem to be. So, the choice is between having this forum, having a worse one, or not having one at all. If you wish there weren’t one at all, probably best just not to use it and pretend it doesn’t exist.

  4. It’s a common misconception that Qubes OS is “privacy-centered” in the sense that privacy is the main value it aims to maximize. Rather, the main value it aims to maximize is security. Privacy and security are often complementary, but sometimes they come apart (and, in a some cases, are even opposed). We also care a lot about privacy, but our primary focus is security. Read more:

1 Like

This was my assumption until recently. Aside from my disappointment that this forum does not allow users to participate without using javascript (a known risk to both privacy and security), it also does not appear to allow me to read posts if I have javascript completely disabled in Tor Browser. At least, that is what appears to be the case.

Until recently, I would simply set my browsing mode to “Safest” and read various posts in the forum - which led me to assume that no Javascript was needed to passively access content. If I chose to reply, I would ‘bite the bullet’, change my settings to “Safer” and login.

However, I recently changed my about:config settings to Javascript enabled false with the browser mode still set to “Safest” and none of the forum messages were readable. Again, with the same “Safest” setting and Javascript enabled True, forum content is readable.

Can someone help me make sense of this?

It appears that 1) Tor Browser is in fact allowing some amount of Javascript to be executed even in “Safest” mode (perhaps an issue for a different topic) and 2) this forum requires some amount of Javascript in order to passively read content.

Interesting finding.

No. In “safest” mode Tor Browser won’t allow any JavaScript.

I guess, this discourse forum software consults the browser API, if JavaScript is enabled. It then will disable certain features based on the queried config value.

Tor Browser has both an internal and public setting for JavaScript enabled.

You change the internal one via security slider. The public setting javascript.enabled via about:config is always set to true, to have the most common fingerprint as possible (most users will have JS enabled).
So please don’t set JS explicitely to false via about:config - that would make your browser fingerprint quite unique.

It seems, discourse forum thinks you have JS enabled (which you have not via Safest security slider) and allows more content than with public JS setting disabled.

1 Like

I guess, this discourse forum software consults the browser API, if JavaScript is enabled. It then will disable certain features based on the queried config value.

Very interesting. And great point about fingerprinting. After more research, it seems that there was a bug with the “Safest” setting that did allow Javascript to be executed, but that has since been patched. It had something to do with a bug in NoScript.

I initially found it odd that the “Safest” setting does not simply change the about:config setting to false. But I suppose it’s better that it’s handled by an “internal” setting to avoid certain types of fingerprinting. Although, it seems that it would still be possible to induce if a browser has Javascript disabled, even if the “public” setting is set to false.

Thanks for the clarification.

Yes, definitely. In the end it’s probably about making it as hard as possible for trackers to distinguish users.

I highly recommend using the forum via mailing list mode. That way no HTML rendering or JavaScript is involved.

You have to use the browser once to create your account and enable the feature in the settings. After that there is no need to ever return to the forum website.

1 Like

I was under the impression that email in general is less private than most options. I will consider that. How many people are subscribed to the email group vs the web forum?

it depend on what it the alternate method of it (i feel i won’t stick to this forum for long time so i use temporary email for this forum)

I assumed that connecting to the forum via the web was more private using VPN over Tor because everything is encrypted. My understanding is that email is sent with unencrypted headers (at the very least) and possibly the body of each email too (because it’s a group email, not private correspondence). I need to think about this some more.

might correct

this not group email
you basically send thing you want to post to a bot (at least in this forum, not qubes-user mailing list)(i guess)

2 posts were split to a new topic: Is it possible to receive encrypted emails from the forum?

@necker wrote:

I was under the impression that email in general is less private than most options.

My understanding is that email is sent with unencrypted headers (at the very least) and possibly the body of each email too (because it’s a group email, not private correspondence).

You are entirely free to connect your user ID to an anonymous email address you only use and interact with via Tor. That way the headers won’t tell anything interesting about where it came from. Regarding the contents of the email: you are aware that EVERYTHING you post to the forum is PUBLICLY AVAILABLE TO EVERYONE without logging in, including search engines??? You are PUBLISHING a post! Is that really unclear?

How many people are subscribed to the email group vs the web forum?

At least 2 (@unman and me), but likely a lot more. I don’t know if @deeplow feels comfortable sharing the exact amount, but also don’t see how this would be an issue.

So it’s possible to PGP encrypt all forum correspondence via email? My key + the “bot” key to sign/verify and encrypt/decrypt?

What on earth could be your reason for even attempting to do so?

Ha! You have a way with words, Sven. I suppose you’re right. I’m aware that my forum posts are public. But they are anonymous because I don’t use this username anywhere else and I am careful about how I connect to this site. I suppose I can do the same with a random email address. I just want to be sure that unencrypted email headers don’t leave a trail of bread crumbs back to my real IP. Keep in mind, I am very unfamiliar with email protocol.

I am sure there are mail services out there that allow you to create an email address without revealing any personal information and accepting bitcoin or maybe even being free. You could then use this service with Thunderbird in a whonix-ws qube. Use that qube for nothing else. Only email with the forum.

OR

Why don’t you just use a disposable whonix-ws with TorBrowser specifically to interact with the forum. That way you can enable for JavaScript just for forum.qubes-os.org. You do that by leaving the security setting on “safest” but then adding the NoScript icon to your toolbar (via customize). In there you can then “overwrite” and allow forum.qubes-os.org. Since the qube is disposable and you are not using it for anything else, there is nothing in there that could identify you even if there is a compromise … which won’t persist, because it’s disposable.

2 Likes

Not true. Try opening this in safest and you’ll see it renders everything.

As @sven pointed out, that’s why we have mailing list mode (see the first post of this discussion)

Try opening this in safest and you’ll see it renders everything.

My posts are not readable in the “Safest” setting if about:config is set to “False” for enabling javascript. I incorrectly assumed that something was either wrong with Tor Browser or some sort of scripting was required to display content. Varkya helped clarify the matter, mentioning the possibility that “discourse forum software consults the browser API, if JavaScript is enabled. It then will disable certain features based on the queried config value.”

that’s why we have mailing list mode

Aside from other obvious differences, mailing list mode is not the same group of users and therefore not an equivalent alternative. I appreciate both options and I am grateful for the community as a whole, but the email group appears to have a smaller pool of users and does not see forum content. And while forum users are able to see the contributions of the email group, they are unable to reply to those posts. So they really aren’t two versions of the same thing. They are two different things.

You misunderstand.

  1. There are several mailing lists for Qubes OS. One of them called “qubes-users” is mirrored in the forum under a respective category. This is read only to forum users.

  2. Discourse forum mailing list mode is available to all forum users and is nothing more than the user getting an automated notification email for each and every post that is made to the forum, as well as the ability to hit “reply” in order to post to that thread. There is also a way to start a new thread using specific email addresses. Mailing list users see all posts to the forum and can participate in all threads as well as in private messaging.

I was talking about 2). I use this nearly exclusively. The only times I actually interface the forum using a browser is to edit a Wiki post or perform some kind of moderator action.

You can see this by the little mail icon in the right next to the posting time in the first line of my posts.

1 Like

Ahh… that makes more sense. Thanks for clarifying.