IIRC Safari achieves this by suspending the processes in background tabs, which could be running inefficient JavaScript (polling for new ads etc). There's no cross-platform way to do this, but I think Mozilla absolutely need to try and find a way to address this. Web sites cannot be trusted to write efficient well-behaved JavaScript and so the burden of taming it falls upon the browser. There is probably some throttling going on, but clearly not enough. Running background JavaScript should be an opt-in permission, not the default.
I see a lot of suggestions to throttle or randomize the cache somehow, and none to stop JavaScript for background tabs. What are the reasons that disallowing background JS might not be preferable? Doesn’t Safari do this by default? And I’m not sure but I imagine that even allowing a background timeslice every once in a while would allow for background notifications and connections while preventing timing attacks?
browsers are pretty limiting on this functionality as is - pretty long timeouts, and firefox/safari have very big indicators explaining how to disable it
Any good defence against this for Safari on macOS?
(There is this javascript blocker, JS Blocker, but when I last used it, the Safari memory usage would explode every other day, to the extent of rendering the machine unusable unless you managed to kill the process very quickly.)
Instead of a permission prompt, Safari could make it so sites that use the Media Session API (https://developers.google.com/web/updates/2017/02/media-sess...) get to run code in the background if they have a media control visible in an active notification. (If the user doesn't want the site to run in the background, then the user could swipe away the media controller notification.)
Edit: Awww, so close. Sadly, I can see Safari still loads all the crap. So I'd still have to disable/enable JS manually, and have other blocking in place for the extraneous requests that don't belong in a reader view. Maybe one day.
I reset Safari on OSX frequently, and do the same with Chrome.
On iOS I run Safari in private browsing mode all the time. Not really to auto-delete cookies (it does that), but because if you have a history of websites and you start typing in the address bar, it attempts to auto-complete the URIs, which freezes Safari for a second, and delays keyboard inputting. Apple doesn't have a time-delay of 1-2 seconds after the previous keystroke, so its auto-complete is really annoying and slows down/breaks the UI. Bookmarks have to be empty too to work.
That said, private-mode iOS Safari crashes a whole lot more than non-private mode. This usually happens on newspaper websites (UI hell) when all of the ad network and javascript widget garbage attempt to load. If you hit Stop-Loading after the article text is loaded, but before that other crap does, it fixes the problem. Funny, but disabling Javascript seems to crash more than leaving it on, but on different websites, likely for different reasons.
There haven't been problems with it in Safari as far as we know. We also do additional throttling at our level in addition to participating in App Nap on a per-tab basis.
This is really interesting because it might be the reason I switch to Safari after using Firefox for years. All I really want is proper site isolation after this.
Agreed. Apple AFAIK allow the user to disable JavaScript in the iOS Safari options http://osxdaily.com/2012/11/18/disable-javascript-safari-ios... and Android browsers have the option too. Maybe the browser designers know something the article writer doesn't: enough people need the option and are smart enough to understand the consequences.
The thing is sites can already do this on chrome (desktop and android) and it hasn’t caused any widespread issues to my knowledge.
Why would adding it to Safari have a different effect? Plus iOS is improving on its notification suppression and its relatively trivial to suppress notifications that aren’t interacted with after some limit.
I remember there being a great Safari extension that blocked this behavior. I wish I knew of something that could do this after Apple nuked their entire ecosystem :(
One of the most brilliant features in the latest versions of Safari are per-website settings for ad blockers, notifications, location, etc. Between those two vulnerabilities and the general obnoxious useage of JS on websites, I’d love to see the addition of a per-website setting for JS. I would personally turn it off by default and only whitelist a handful of websites.
reply