Is there a Lemmy server/way that doesn't require allowing javascript of a million other servers?
So, I am one of those old school types who mains with Firefox and Noscript. And also a filthy casual that just goes on lemmy.world. But half the images are broken because I'm expected to allow scripts on like 30+ sites to see most of the posts. I'm literally expected to allow /all/ the scripts from a domain just so I can see a dang picture behind the thumbnail. That's the entirety of the scripting needed. That seems ridiculous. Is there, I don't know, a server/way that makes it so I don't have to blanket allow all these scripts? To put it in meme form (not sure I'm doing it right, never seen the show): "It's an image of a banana Michael, what should it take, one Raspberry Pi running Docker?"
[EDIT 6/1/25 - thanks to everyone who commented on this. Screenshots: lemmy.world/comment/17403335 ]
For posterity. This is from today.Environment
Firefox Browser 139.0.1 (64-bit)
NoScript 13.0.8
All other extensions disabledA broken image, from Active on lemmy.world. Notably by a user named "Docker".
My noscript settings.
Shimitar
in reply to awbvious • • •naught101
in reply to Shimitar • • •like this
xep likes this.
Shimitar
in reply to naught101 • • •Ashtear
in reply to Shimitar • • •Absolutely. The vast majority of my sites do just fine when whitelisting only the primary domain. I consider it an essential add-on myself.
Lemmy is one of the few that needs a little babysitting, and it's only for the purpose OP stated.
like this
xep likes this.
Shimitar
in reply to Ashtear • • •Is it a pleasant experience?
awbvious
in reply to Shimitar • • •So, I agree with everything the other responders are saying. Whitelist the primary domain (and maybe a cdn domain that is hopefully nicely labeled) and a decent site should play decently. But it is also that I (generally) know when to pick my battles--or I at least keep my pointless battles to a small scope and fairly sporatic.
I'm asking for a solution to this from the lemmy community, not reddit or a big corposite. They would want a single domain or a few domains for opposite reasons than making the user happy: they would want to control the user experience and ensh**tify via dark patterns. I do not think we should need to blanket allow scripts from dozens of sites just to see images, that's the scope of this mini-battle I do not plan to fight beyond this post. I mention ensh**tification because I just happened to see this thetyee.ca/Culture/2025/05/26/… on this
... show moreSo, I agree with everything the other responders are saying. Whitelist the primary domain (and maybe a cdn domain that is hopefully nicely labeled) and a decent site should play decently. But it is also that I (generally) know when to pick my battles--or I at least keep my pointless battles to a small scope and fairly sporatic.
I'm asking for a solution to this from the lemmy community, not reddit or a big corposite. They would want a single domain or a few domains for opposite reasons than making the user happy: they would want to control the user experience and ensh**tify via dark patterns. I do not think we should need to blanket allow scripts from dozens of sites just to see images, that's the scope of this mini-battle I do not plan to fight beyond this post. I mention ensh**tification because I just happened to see this thetyee.ca/Culture/2025/05/26/… on this old.lemmy.world/?sort=Hot&list… (thanks, above suggester for reminding me of old.lemmy).
[Note, I censored those letters. I've been told you can swear on the internet, though.] One of my "old man yells at cloud" moments of late is when I have to deal with a very small company forcing an app down my throat when a website will do and the using of that company/service (and thus app) is being forced upon me by outside forces. If it's a small enough company, I will go through too many emails back and forth with their "CTO" telling them why it's a problem and why they should just have an app (a site that, yes, almost certainly would need javascript). Because that's the small act of protest some of us should be doing in my mind. That way the next time someone thinks, hmm, we could just do an app and only offer it, they'll then think, naw, there's going to be that one annoying customer, not worth it. Same with this issue, for me at least. I don't see why we /have/ to run javascript on secondary sites just to have a thumbnail and a resulting image. And I'm posing this, again, on lemmy not reddit. So, consider this my allowing myself a brief moment to yell at a cloud.
[EDIT: Escaped my asterisks. I worried there would be automatic markdown, but I didn't see the Preview button.]
Sintra
in reply to awbvious • • •asudox
in reply to awbvious • • •GitHub - rystaf/mlmym: a familiar desktop experience for lemmy
GitHubgedaliyah
in reply to asudox • • •Blaze (he/him)
in reply to gedaliyah • • •lemmy.zip
old.lemmy.zipbdonvr
in reply to Blaze (he/him) • • •old.thelemmy.club/
Unfortunately with Lemmy 1.0 MLMYM (the software used to provide this UI) will have to be shutdown, unless the MLMYM dev re-appears or someone forks and maintains it.
thelemmy.club
old.thelemmy.clubBlaze (he/him)
in reply to bdonvr • • •e0qdk
in reply to bdonvr • • •MrKaplan already forked it and is keeping it on life support for lemmy.world. I've been trying to make enough sense of it to fix several issues that have been bugging me for a while, and will contribute my fixes there if I can figure them out.
I've only got a few hours each weekend where I have good concentration + enough free time to work on it, and don't know the relevant languages (Go, Rust, TypeScript), so my progress is pretty slow... but I'm still poking at it.
GitHub - Fedihosting-Foundation-Forks/mlmym: a familiar desktop experience for lemmy
GitHubbdonvr
in reply to e0qdk • • •Wow thanks for the info and the work. I don't use it much since 99% of my Lemmy use is on mobile and I prefer stock Lemmy for admin stuff, but I know at least a few of my users use it.
I'm going to see if that fork is something I can just drop in the docker compose file. That'll be awesome if so.
Do they intend to make it 1.0 compatible or is this beyond the scope right now?
e0qdk
in reply to bdonvr • • •MrKaplan
in reply to e0qdk • • •Blaze (he/him)
in reply to e0qdk • • •awbvious
in reply to gedaliyah • • •e0qdk
in reply to awbvious • • •pictrs's thumbnail parameter uses dumb raw pixel sampling -- which leaves something to be desired... It has other sampling options implemented (with
resize, according to the docs), but they don't seem to accessible on my instance. You can removethumbnail=96if you want to get the image without that thumbnail sampling, at least.I do this with my browser's UI (ctrl-plus keyboard shortcut in FF-based browsers works for me).
[...document.querySelectorAll(".side")].forEach(sidebar => sidebar.remove())You could also just adblock the element with class
side.awbvious
in reply to e0qdk • • •Hey, that sounds like a great idea, I bet I could add that to ublock origins. And, yeah, zoom via ctrl plus is what I do (I'm not sure if it is remembered between sessions). As for the side bar, it does not bother me, it was just as an example of what an extension theoretically could do. Honestly, another extension should not be needed. Instead a lemmy /c/ or other repository for user hacks would be nice that you could put into ublock origins or other DOM manipulator. That removing thumbnail sampling looks awesome, will try it out next time I'm on desktop.
Rimu
in reply to awbvious • • •Yes.
PieFed uses very minimal javascript (it 95% works with JS entirely disabled) and you can access all the same communities and posts.
Try it at piefed.social or any of these other instances - join.piefed.social/try
Try PieFed - PieFed
PieFedlike this
aasatru, Fitik and TVA like this.
Trinsec
in reply to Rimu • • •Rimu
in reply to Trinsec • • •Voting, lol. Kinda important.
Dropdown menus. They're not really needed but life sucks without them.
Can't manually switch between dark and light mode (only automatically based on browser settings).
There's probably more but I haven't seriously tried to use PieFed for long without JS. Fundamentally it's built HTML and CSS first, with sprinkles of JS added on for funsies rather than the modern way of being all about JS.
like this
Fitik and TVA like this.
foggy
in reply to Rimu • • •Today:
... show more
Today:
e0qdk
in reply to Rimu • • •You could support this by making vote buttons submit a form if JS isn't enabled. (That's what mlmym does.)
Hmm... There are some pretty nifty things you can do with a hidden checkbox, label, and some clever CSS (e.g.
html:has(#element:checked)+ CSS variables -- though FYI:hasis baseline 2023.)Making it persistent would require some more effort -- e.g. form + cookies + server side style sheet selection, most likely. mlmym lets users change their theme w/o JS by submiting a form on the setting page. I'd have to think a bit if there's a good way to make it persistent across multiple requests for logged out users with a CDN caching things in between though...
... show moreDoesn't actually work for me in a FF138-based browser w/ JS blocked via NoScript -- I always get light mode despite having a dark mode preference set. (Where do you have your
prefers-coYou could support this by making vote buttons submit a form if JS isn't enabled. (That's what mlmym does.)
Hmm... There are some pretty nifty things you can do with a hidden checkbox, label, and some clever CSS (e.g.
html:has(#element:checked)+ CSS variables -- though FYI:hasis baseline 2023.)Making it persistent would require some more effort -- e.g. form + cookies + server side style sheet selection, most likely. mlmym lets users change their theme w/o JS by submiting a form on the setting page. I'd have to think a bit if there's a good way to make it persistent across multiple requests for logged out users with a CDN caching things in between though...
Doesn't actually work for me in a FF138-based browser w/ JS blocked via NoScript -- I always get light mode despite having a dark mode preference set. (Where do you have your
prefers-color-schememedia query?)Also, FYI I had to manually override font restriction -- otherwise all your buttons end up as tofu characters. (I think NoScript is being kind of unreasonably strict there by blocking first party fonts.) That's a papercut kind of issue, but figured I'd point it out in case it might save you some debugging time if you get confused NoScript users in the future.
Rimu
in reply to e0qdk • • •Yeah I think it'd be worth getting the voting buttons working, those are pretty key functionality.
The icons being stored in a font is kinda problematic (some browsers choke, large font file) but on the other hand it's so great being able to set the color of them in CSS, which I found difficult when they are a SVG.
awbvious
in reply to Rimu • • •Rimu
in reply to awbvious • • •In piefed.social/user/settings there are two different compact modes to choose from, which shrink the images to varying degrees.
I don't know of any way to determine how JS-heavy a link is.
Login
piefed.socialawbvious
in reply to Rimu • • •mesa
in reply to Rimu • • •flamingos-cant (hopepunk arc)
in reply to awbvious • • •GitHub - christianjuth/blorp: Bl🪐rp Social – another Lemmy client nobody asked for. Web, iOS & macOS, and more!
GitHublike this
Fitik likes this.
solrize
in reply to awbvious • • •mnmalst
in reply to awbvious • • •Voyager for Lemmy
vger.appbdonvr
in reply to mnmalst • • •Some instances host this themselves too.
app.thelemmy.club/
Voyager for Lemmy
app.thelemmy.clubdragnucs
in reply to awbvious • • •Omega
in reply to dragnucs • • •QuazarOmega
in reply to Omega • • •Welcome to Interstellar
Interstellarlike this
jwr1 likes this.
nocturne
in reply to Omega • • •Omega
in reply to nocturne • • •kbal
in reply to awbvious • • •like this
Fitik and TVA like this.
shnizmuffin
Unknown parent • • •Using CSS anchor positioning - CSS: Cascading Style Sheets | MDN
MDN Web Docslike this
TVA likes this.
lambalicious
in reply to awbvious • • •This tbh.
I don't understand why is this not he standard for Lemmy and the Fediverse. We got here, among other things, to get away from the kind of crap enabled by JS-first web.
Nothing4You
in reply to awbvious • • •software like noscript is not exactly beginner friendly. you're expected to understand the impact of your blocking and what you are blocking. the only domain you need to allow JS from on lemmy.world is lemmy.world. standard lemmy-ui does not load any js or css from third party sources, only the domain where lemmy-ui is served. your noscript configuration is blocking the actual images, not javascript that would be required to load images.
edit:
to expand on this, even in tor browser in safest mode, lemmy.world works totally fine when all you do is allow JS from lemmy.world on lemmy.world:
awbvious
in reply to Nothing4You • • •My result?
"The American Dream" discuss.online - BROKEN
"We are way overdue for an open source 2d printer" sub.wetshaving.social - BROKEN
"We never stood a chance." ani.social - BROKEN
"literally useless" lemmy.blahaj.zone - BROKEN
"Anime Recommendations" lemmy.dbzer0.com - Works (the one you show)
Nothing4You
in reply to awbvious • • •nothing about this is cherry-picking. it's simply how lemmy works. there are no remote js sources. lemmy-ui even sets security headers that prevent loading js from third party domains.
awbvious
in reply to Nothing4You • • •Nothing4You
in reply to awbvious • • •honestly at this point I don't consider it worth continuing the discussion here, as it doesn't seem that you understand enough of what you're talking about, despite your claims of dealing with it for "years", yet you keep implying that i'm likely the one being wrong or even lying/misrepresenting things.
the second screenshot is from the same browser as the first, both are in firefox, using the tor browser variant in safest mode, which blocks even more than the average noscript installation in firefox. tor browser is a hardened variant of firefox esr. if it works in tor browser without loading js from third parties it'll very much do so in any other browser. the screenshot is from macos, which is probably why you're not used to it, but that's just what firefox on macos looks like. this is my standard firefox install:
besides, if lemmy was loading and executing javascript from other instances, this would be a massive security issue, which is yet another reason why your claim o
... show morehonestly at this point I don't consider it worth continuing the discussion here, as it doesn't seem that you understand enough of what you're talking about, despite your claims of dealing with it for "years", yet you keep implying that i'm likely the one being wrong or even lying/misrepresenting things.
the second screenshot is from the same browser as the first, both are in firefox, using the tor browser variant in safest mode, which blocks even more than the average noscript installation in firefox. tor browser is a hardened variant of firefox esr. if it works in tor browser without loading js from third parties it'll very much do so in any other browser. the screenshot is from macos, which is probably why you're not used to it, but that's just what firefox on macos looks like. this is my standard firefox install:
besides, if lemmy was loading and executing javascript from other instances, this would be a massive security issue, which is yet another reason why your claim of loading js from other instances is ludicrous for someone who knows how these things work, at least when you keep insisting on it.
as i mentioned before, noscript is not an extension that is easy to use without some basic understanding of how websites work. if you've been having issues for years due to not understanding these things and how to deal with them properly that suggests that it'd probably be better for you to just switch to something like ublock origin with anti-tracking filter lists if you're not planning to spend some time learning how websites work and what the different types of blocked resources do.
i don't even see how you would be blocking images with noscript, as there doesn't even seem to be an option for it. unless of course you're confusing noscript with something like umatrix, which does allow blocking images by default as well, but it would also clearly show that there is media blocked and not scripts:
anyway, if you're truly interested in understanding these things and not just rant about them please do some research on the technology being used.
Blaze (he/him)
in reply to Nothing4You • • •awbvious
in reply to Nothing4You • • •I'm familiar with ESR. As I understand it, it is the version before (or more precisely a reflection of the version before) Mozilla switched to the newer version, breaking a lot of extensions that I liked in the process. As I remember it, it was a pretty deep departure (and many considered it too Chrome-y, was the same underlying engine on something like that). The newer version was more secure, but also more limited. I've played around with some ESR forks, but I do not use them normally/currently. That alone sounds like a pretty different environment.
Ah, now I see it. I've seen that in screenshots before. But yes, yet another case of different environments. And that's not even getting into other possible extensions.
... show moreI'm sorry if you thought I was "implying that I’m ... even lying". I just want to
I'm familiar with ESR. As I understand it, it is the version before (or more precisely a reflection of the version before) Mozilla switched to the newer version, breaking a lot of extensions that I liked in the process. As I remember it, it was a pretty deep departure (and many considered it too Chrome-y, was the same underlying engine on something like that). The newer version was more secure, but also more limited. I've played around with some ESR forks, but I do not use them normally/currently. That alone sounds like a pretty different environment.
Ah, now I see it. I've seen that in screenshots before. But yes, yet another case of different environments. And that's not even getting into other possible extensions.
I'm sorry if you thought I was "implying that I’m ... even lying". I just want to get environmental discrepancy issues out of the way first. Let's have best faith assumptions, like I will regarding the above sentence.
As for loading js, I took a screenshot, but I don't want to upload screenshots if not necessary. It was from a few days ago and does show many instances attempting to run scripts. Notably, after my post, I noticed that images were loading without needing to enable any javascript from other servers (didn't bother to check if they were still trying to, but I didn't permanently allow them, and images were loading). I can upload my screenshot, but only if you really want them. That is if it is something you need. My best faith understanding of our communication is neither of us want this to devolve into something unpleasant, and I worry about it getting there.
I have the former, tried the latter, but ultimately have stuck to a mix of ublock origin and noscript. Theoretically, one doesn't even need noscript, ublock origin can do it. But I am used to this mix. I can see by how many times you've mentioned it, that I need not remind you for how long.
If this feels like ranting, then perhaps we do not engage further. However, if /you/ feel you would benefit, I am more than happy to. I do appreciate the time you put into your responses and what you have added to the conversation.
awbvious
in reply to awbvious • • •For posterity. This is from today.
Environment
Firefox Browser 139.0.1 (64-bit)
NoScript 13.0.8
All other extensions disabled
A broken image, from Active on lemmy.world. Notably by a user named "Docker".
My noscript settings.
Rimu
Unknown parent • • •Yeah. But in this case the Topics menu can be quite heavy as it lists every community that the current user is subscribed to. Instead of generating that menu (and sending it to the client) on every page load, when it probably won't even be used, PieFed makes an ajax call (only possible with JS) to retrieve the topics menu when it's clicked. Same for 'Feeds'.
This cut the amount of HTML being sent to the browser by around 50% (depends on how many communities you subscribe to but PieFed makes it extremely easy to subscribe to dozens of communities with a single click so many people have hundreds) and eased load on the server too. Some of the more under-powered instances run noticeably faster now.
Ademir
in reply to awbvious • • •awbvious
in reply to Ademir • • •Mentioned elsewhere, and a decent workaround. Doesn't do well with thumbnails, unfortunately.
[edit: someone below suggested removing the thumbnail sampling (I'll probably try via uBlock Origins). Honestly with that and a bit of zoom, might work fine. Will be testing it.]