Automatically Installed JavaScript Must Die

22 replies [Last post]
onpon4
Offline
Joined: 05/30/2012

I posted a topic about this recently. Now I've written an essay about it:

https://onpon4.github.io/other/kill-js/

I've come to the conclusion that making JavaScript code libre is the wrong direction to take. I think automatically installed JavaScript should just be rejected, and I have started doing so.

By the way, a useful trick: one common use of JavaScript code is to show elements that are hidden by default (spoiler tags, for example). You can right-click on such elements, choose "Inspect Element", and modify the CSS display attribute from "none" to "" (or just get rid of the part that modifies the display attribute). It takes a couple seconds, so it's obviously less convenient than using the JavaScript code, but it's very easy. The Inspect Element feature can also be useful for other things, like floating boxes that block text.

jxself
Offline
Joined: 09/13/2010

Reading an article about software freedom that is itself hosted by non-free software seems ironic.

dobie_gillis
Offline
Joined: 10/27/2014

I was thinking the same thing.

Julian, I enjoyed reading this essay, but I would stay away from Github whenever possible.

They're extremely corporate-minded.

"the GPL is too restrictive and dogmatic to be usable in many cases. I want everyone to benefit from my code. Everyone. That's what Open should mean, and that's what Free should mean."
- Tom Preston-Warner, co-founder
http://tom.preston-werner.com/2011/11/22/open-source-everything.html

I do use github to collaborate on projects that are already based there. But if you care about the things you're talking about in your essay, then why would you choose to host your website on their servers?

onpon4
Offline
Joined: 05/30/2012

When I last weighed my options, it was the best choice I could find. I was only looking at gratis hosts at the time because I didn't have a stable source of income, and the only other alternative I could find which didn't require gratuitous JavaScript and didn't require me to run proprietary software, 000webhost (which was what I used before GitHub), seems to be censored by AT&T; I can't access most of its servers except through Tor.

I just haven't looked for a new host since then.

dobie_gillis
Offline
Joined: 10/27/2014

That makes sense. But there are other choices. You can search for SDF, or devio.us. I would host your website if you want on my linode VPS.

All the services I've mentioned don't necessarily align with the goals of GNU, but github in particular I have issues with because of their attitude, and because they have become popular in the mainstream.

davidnotcoulthard (not verified)
davidnotcoulthard

https://gitorious.org

edit: never mind.

dobie_gillis
Offline
Joined: 10/27/2014

Yeah, Gitorious works as a place to host git repositories, but it doesn't have most of the features that GitHub provides. It would be nice to see an issue tracker in Gitorious, as well as a web hosting mechanism like onpon4.github.io is using.

t3g
t3g
Offline
Joined: 05/15/2011

If you have your own server, there's GitLab: https://gitlab.com

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

javascript has always been turned off for me since I first understood how many problems ,especially security wise, it can introduce..
always off..

quantumgravity
Offline
Joined: 04/22/2013

Onpon, there is one big flaw in your argumentation: you portray the installation and execution of a javascript program as equal to the installation and execution of normal software.
It's just not the same thing. The capabilities of javascript are far, far (!) more limited than this is the case for ordinary programs. I think the whole problem gets exaggerated.

jxself
Offline
Joined: 09/13/2010

It is still software and, regardless of what it can "do", still needs to be free. The free software movement is about ethics, not about security or other issues (although they do intersect but still, you know what I mean.) :)

quantumgravity
Offline
Joined: 04/22/2013

That may be so, but still the comparison drawn in the essay is not correct.
It basically reads like 'look how awefull it is that thousands of programs get installed and executed on our pcs from random sources without our permission' but it doesn't talk about the major differences here.

davidnotcoulthard (not verified)
davidnotcoulthard

"It basically reads like 'look how awefull it is that thousands of programs get installed and executed on our pcs from random sources without our permission"

As somebody who hasn't quite got the expertise in programming would you please enlighten at least myself as to why it isn't (assuming that's what you're implying with "major differences")?

dobie_gillis
Offline
Joined: 10/27/2014

Even if the JavaScript isn't doing something malicious, what if you want to make a change to it? It doesn't matter that it runs in a sandboxed browser environment, because the JavaScript code still has complete control over the web page you're visiting.

If all you care about is security, then sure, you can say JavaScript is pretty much fine, and you can also use something like NoScript to only execute JavaScript that comes from certain servers (NoScript runs nonfree, proprietary JavaScript code, which the majority have no problem with). But Julian's essay is talking about nonfree or proprietary JavaScript code, not malicious JavaScript that's written to exploit security holes.

quantumgravity
Offline
Joined: 04/22/2013

''But Julian's essay is talking about nonfree or proprietary JavaScript code''

First of all, that's just wrong. Julian is explicitly talking about all javascript out there, free as well as non-free. Librejs aims to wipe out non-free javascript, but that's not enough to his eyes.

If i understood correctly, one of his main problems with javascript is that those 'programs' get silently 'installed and executed' from various untrusted sources.
But those sandboxed scripts can't really do much so this sounds more dramatical than it actually is. That's my whole point.

dobie_gillis
Offline
Joined: 10/27/2014

What I should have said is: his essay is addressing the issue of nonfree and free JavaScript, not malicious and non-malicious JavaScript.

dobie_gillis
Offline
Joined: 10/27/2014

"If i understood correctly, one of his main problems with javascript is that those 'programs' get silently 'installed and executed' from various untrusted sources."

You're right, that does seem to be his main concern. In that case, I'd suggest the NoScript extension, or disabling JavaScript completely.

lembas
Offline
Joined: 05/13/2010

> If all you care about is security, then sure, you can say JavaScript is pretty much fine

I think there are too many JS related issues for one to be able to say so.

E.g. https://www.mozilla.org/security/known-vulnerabilities/firefox/

dobie_gillis
Offline
Joined: 10/27/2014

Well, that is a different issue then. And that's being addressed by the Mozilla team.

dobie_gillis
Offline
Joined: 10/27/2014

From Julian's essay:

"Let's suppose even further that LibreJS succeeds so much that it causes a large portion of the Web to release scripts under libre licenses and document the licenses in a format LibreJS can understand.

It seems great on the surface, but what follows from this is that software is still being silently installed into our browsers every day. The only difference is that LibreJS thinks the programs are libre."

Maybe LibreJS should figure out if the free script has changed since the last time you ran it?

onpon4
Offline
Joined: 05/30/2012

To my mind, for the system of JavaScript to be acceptable, each script installation must be explicitly authorized by the user, unless the user has decided to place trust in someone, and permanent so that you can keep an old version; and it needs to be possible to install other scripts in place of the requested scripts.

But I argue that this would be a wasted effort. We can achieve the same result of the users being in control of their own scripts by rejecting the JavaScript requests entirely and using user scripts instead, where it makes sense to. We can even replace proprietary scripts ourselves via user scripts. For example, while it is probably not the intention of the developer, ViewTube works as a libre replacement for YouTube's JavaScript code.

One thing that could be helpful is if we could automatically convert typical JavaScript code requests into user scripts. I don't know whether or not this is possible, though, because I'm not familiar with JavaScript programming, much less the user script API. Could anyone provide some insight?

dobie_gillis
Offline
Joined: 10/27/2014

There's a discussion about this on an internal GNU mailing list.

One path that GNU might take is downloading scripts into the user's home directory so they have control over them, possibly based on the dotjs extension: https://github.com/rlr/dotjs-addon

t3g
t3g
Offline
Joined: 05/15/2011

In the past, I have talked about the concept of using JavaScript source maps for minified JS code as a way to check the source for the JavaScript where the author could put in the licensing information. The source map is referenced in the minified code and some browsers have the option to view the linked source in their developer tools. There you can throw in your full license headers at the start of your file and do it properly.

You could say that the majority of websites will not provide the raw source code if they don't have to. If they did though, I believe the source map solution is the most direct. There have been solutions in the past (like RMS's JavaScript trap) that want users to include @license tags, but hasn't been used much nor is it standardized.

If I had the time, I would build a better solution than LibreJS or "JavaScript Must Die" and do an extension that would be reliant on the source maps and pull license information from that. Its still a daydream though as no one even uses source maps. :-(