I actively do this with uMatrix - granted, I only block non-first-party JavaScript. Most sites I visit only require a few domains to be enabled to function. The ones that don't are mostly ad-riddled news sites.
There are a few exceptions to this - AWS and Atlassian come to mind - but the majority of what I see on the internet does actually work more or less fine when you block non-first-party JavaScript and some even when you do that. uMatrix also has handy bundles built-in for certain things like sites that embed YouTube, for example, that make this much easier.
Blocking non-first-party like I do does actually solve this issue for the most part, since, according to the article, only bundles that come from the cdn.polyfill.io domain itself that were the problem.
dactylotheca@suppo.fi 3 months ago
You’re still trusting that the 1st party javascript won’t be vulnerable to supply chain attacks, though
valaramech@fedia.io 3 months ago
In my experience, first-party JavaScript is more likely to be updated so rarely that bugs and exploits are more likely than supply chain attacks. If I heard about NPM getting attacked as often as I hear about CDNs getting attacked, I'd be more concerned.
vxx@lemmy.world 3 months ago
Funny that they want you to allow all java scripts but then criticise first party scripts for being unsave.
I bet [insert random autocrat here] would approve of that message.