Surrogates user.js

Some websites were made unusable without JS. Often intentionally, as a mean to coerce a user (and harrass the ones who are not coerced) into allowing the website to use JavaScript - a dangerous remote code execution technology abused in the current Web in order to fingerprint users, track their behavior and detect ad-blockers in order to deny them service and capable to be used to exploit hardware (including microarchitectural) and driver vulnerabilities.

NoScript browser extension used to contain a feature called "surrogates", which allowed users to use some websites written the way that without JavaScript the website cannot operate. The solution was to bring an own small and easy-to-audit piece of JavaScript, that allows a website to operate, just without any JS-implemented unapproved, unexpected or malicious functionality, that the website could have.

When NoScript has migrated from Firefox XPCOM to WebExtensions, this functionality hasn't been ported, though the surrogates are still available in its repo (and here is a PR) with some of my ones).

μBlock also contains something like that, called "scriptlet", but more limited (no conditional inclusion based on noscript state). Here are their scriptlets. The good part of their scriptlets is that they have general-purpose scriptlets.

Of course it really makes no sense to implement this functionality in NoScript itself. There are browser extensions of the cathegory of userscripts managers, which purpose is executing client-stored scripts on webpages. Ideally they should have some interface allowing other browser extensions to control their behavior using their public API. See this and this for more info about the idea and a script that may be helpful. But it is not yet implemented. It is a task for future.

For now our task is to restore surrogate support. The most straightforward way is to just utilize existing userscripts managers.

This repo contains some "surrogates" in a form of *.user.js scripts.

WARNING: If you use ViolentMonkey, replace GM.getResourceUrl of GM with GM.getResourceURL of VM (violentmonkey/violentmonkey#1403) in some surrogates if they don't work.

Here are surrogates for some websites having major flaws in compatibility with the browsers with disabled JS:

Can be benign

Generic ones

• all sites using lazyload (data-src in pics) - just downloads lazyload and runs it.

Site-specific

• facecast.net - A video streaming service. Uses HLS. To get the HLS streams some requests have to be done. And some measurement of user's speed and a ping to select the optimal server for the minimal latency. Currently the surrogate just chooses the first server in the list that have responded within a timeout of 1 second. The surrogate gives you the links you can paste into any player supporting HLS.
• Bing (bing.com) - Bing returns empty results, unless some cookies are set. It seems that the issue is present only for some users. Other users report that for them everything works fine.
• support.microsoft.com - Rendering of some knowledge base pages is done using JS from JSON representation on client side. I see no legit reason not to render that server side.
• visualstudio.microsoft.com - The URIs to binaries are inlined into the page within JS objects and are taken from there. I see no legit reason not to render the links server side.
• FOSSHub - the real direct links are fetched via API and replaced in runtime.
• GosZakupki (Russian government procurement) (zakupki.gov.ru) - almost everything is hidden using CSS when there is no JS. The links are not links, instead some elements have url attribute.
• Googlag Drive file download
• Googlag YouTube - Generates a playable video tag.
• Yandex Disk public links (yadi.sk) - the real links are fetched via API. I see no legitimate reason not to do this server side.
• Yandex Video (video.yandex.ru) - some info is fetched via JS. You need to allow storage.mds.yandex.net and static.video.yandex.net in uMatrix in order to use this!
• habr.com:
  • habr_com_pic_delossy - replaces versions of pics compressed with extreme parameters with less spoiled ones ones.
  • habr_com_pic_deblur - removes client-side blur filters from pics.
  • habr_com_spoiler_fix - expansion of spoilers (with details/summary) has been implemented.
• 4PDA - Replaces spoilers with details/summary
• Hockeypuck Key Server - fixes non-working without client-side JS in GUI of old versions.
• Coursera - Tries to fix the links in the syllabilus and generates a playable video tag on the pages with video. Does the both not very correctly for now.
• SecurityKiss VPN - Allows you to download a config for your WireGuard. 👍
• msi.com - Allows to browse products and download software for them.
• streaming.media.ccc.de
• sociumin.com - Replaces the URIs of the pics with the ones from dataset property. WARNING: Firefox Tracking protection blocks VK API URIs (images). Just rely on uMatrix for more granular blocking.
• data.mos.ru - allows to download few latest versions of the datasets + their descriptions.
• AndroidFileHost - uses JS to download list of mirrors. Contains CloudFlare browser fingerprinting (Picasso) script, but doesn't use CF fingerprinting information anyhow. It can be that it is used by mistake.
• iichan.hk - requires a user to set deletion password for every post. If not set, the setting is done in JS. The js-based setting of the hidden field seems to be never used - the conditions needed for it seem to be never triggered. Since we still have to rely on our JS, I have added automatic derivation of deletion password from the hash.
• Gitea-based websites, including Codeberg - Gitea devs have done a good job ensuring the website works without JS in large part. Unfortunately there are still pieces not working without JS, such as transferring ownership. It is clearly possible to implement it without JS (and I have done the similar job for Hockeypuck)
• proxysite.com - uses JS to redirect to own subdomains, corresponding to different exit servers.
• OpenNet.ru - uses JS for voting and unfolding of hidden comments.
• Wikipedia - Language chooser no longer works without JS as it used to work. It is because of a CSS rule hiding it. If one undoes effects of that rule, it starts working again.

Hall of shame

The following websites obviously intentionally and actively try to disrupt experience of users with JavaScript disabled (discriminate against them):

• ixbt.com (a forum about smart electronics) - JS was used to add the HTML into page. The JS was weakly obfuscated.
• sysadmins.ru (a forum about programming and system administration) - plain text of messages is encrypted using AES-256 in CBC mode. CryptoJS is used as an encryption library. Source of the encryption library was modified a little by modifying the argument used as a key derivation material by taking its slice of from 0 to 5-th characters. The scripts were obfuscated.
• ScienceDirect - This surrogate constructs URI to PDF with the paper from the info embedded into the web page as JSON. Otherwise the link for PDF downloading is unclickable (even for Open Access papers). Elsevier has changed their website. Now the link redirects to a page with JavaScript that must be executed in order to get access to PDF. When JS is disabled, it redirects your browser back via a noscript tag. To_Hex_string(AES256_CBC_Encrypt(iv=generate_random_nonce_bits(128), key=SHA256(UTF8_Encode(challengeKey)), plaintext=UTF8_Encode(challengePlaintext))) is the algorith to generate response. Only after that the website allows us to view PDFs. The main and seemingly the only purpose of this intermediate page is to discriminate against users with JavaScript disabled. the users covered by a paid subscribtion (other ones who have no subscribtion will just get a page requesting sign in)! Elsevier, this is complete disrespect to your paid subscribers 🖕 and such attitude is completely inacceptable. I wish your subscribers to boycott you and cancell all the paid subscribtions. You don't deserve a penny after such an attitude to your paid customers.
• Some Medium-based websites - the article is cut unless a gi= parameter is present in the URI. The content of it can be arbitrary. We generate it randomly and it works.
• Googlag Books - a class html_page_secure_image is applied to the area of image. The image itself has src pointing to a blank image. A separate stylesheet is present nearby setting the background to the right image. It has another class. So the solution is to replace className from html_page_secure_image to html_page_image. And undo the inline stylesheet of the element having the highest priority and setting background image to a non-meaningful image.
• OVD-Info - Some pages contain an unjustified pop-up "preloader" and hide content of using visibility: hidden;. Contains lot of scropts, including one injecting Google Tag Manager.