Browsing and javascript

12 replies [Last post]
Lola
Offline
Joined: 10/10/2015

Hi,

How dangerous is javascript when browsing?

Does anyone in this forum browses the Internet with a javascript-disabled browser?

Or maybe you just disable it when you are visiting a website you don't trust?

What does the LibreJS add-on do?

Does it make web browsing safer?

Once I get some answers here I may understand Zeronet dangers [1].

Thank you.

[1] https://trisquel.info/en/forum/zeronet-and-javascript

quantumgravity
Offline
Joined: 04/22/2013

Proprietary Javascript is a way smaller problem than normal proprietary software for two reasons:
first, it is executed in your webbrowser, which puts it in a sandbox. That means that the webbrowser limits what javascript can actually do, and if your webbrowser is free software, everybody can check if it is really doing a proper job.
Second, most javascript code that you find on smaller websites is visible in your console, that means everybody can read what it's doing and in principle, every user can find harmful features and inform others about it.
However, it's true that bigger websites which rely more on javascript mostly minify and uglify their code, so you get a compressed and non-human-readable version.

What you should be more concerned with is injected javascript from services like google analytics, since they can track you. I advice installing noscript and blocking those sites.
The functionality of the website you want to use will not suffer from this.

My personal opinion is that the fuss about non-free javascript is way, way too big and exaggerated.
Besides, javascript applications are most of the time deeply connected with the layout of the webpage and the server as a backend api.
Take both away and the code is basically useless because incomplete.
In general, it's way harder to apply the idea of free software on javascript (in websites) mainly due to those issues.
Writing a modified version of the javascript of a website and sharing it with your friends? Maybe but difficult and mostly unneccesary.
Writing a modified version of the javascript code of a website and realising a modified version?
In most cases, that makes no sense since the website might change any day, making your code useless.
Again, big single-page-webapps which are running soley on the client are a different story.

calher

I am a member!

Offline
Joined: 06/19/2015

> first, it is executed in your webbrowser, which puts it in a sandbox. That
> means that the webbrowser limits what javascript can actually do, and if your
> webbrowser is free software, everybody can check if it is really doing a
> proper job.

Security is not the same as user freedom. They are both important, but
treating them as though they are the same will lead to incorrect
conclusions.

> Second, most javascript code that you find on smaller websites is visible in
> your console, that means everybody can read what it's doing and in principle,
> every user can find harmful features and inform others about it.

That's not source code. Source code is the preferred form for modifying
the program, the same unmodified code that the author uses when they
write or edit the program. Most JavaScript is minified and looks far
different from what the author has, and can require reverse engineering
skills to read.

If that's source code, then a ready-to-run binary, assembled from
Assembly language, qualifies as source code, even though binaries lack
comments and variable names.

> However, it's true that bigger websites which rely more on javascript mostly
> minify and uglify their code, so you get a compressed and non-human-readable
> version.

When you process source code, it's no longer source code.

> My personal opinion is that the fuss about non-free javascript is way, way
> too big and exaggerated.

It literally gave my machine a kernel panic. You think that's not a big
deal?

JavaScript also prevents users from doing basic tings on their
computers, like highlighting text with their cursor while reading an
article. A message popped up and told me "You can't do that!"

We're not even talking about copying the text. We're just talking about
selecting it with the cursor! And if you turn JavaScript off, the whole
article is generated/pulled in with JavaScript and is not present in the
page source at all, so you can't read any of it.

That's not a world I want to live in, with DRM on simple web articles.

> Besides, javascript applications are most of the time deeply connected with
> the layout of the webpage and the server as a backend api.

So? That JavaScript is a client to their server software, and it should
be free software if it's going to run on my computer.

> Writing a modified version of the
> javaschttps://www.youtube.com/watch?v=igDGkpTHuhkript of a website and
> sharing it with your friends? Maybe but difficult and mostly unneccesary.

It is very necessary. People modify JavaScript all the time to improve
user's lives. Look at Reddit Enhancement Suite.

> Writing a modified version of the javascript code of a website and realising
> a modified version?
> In most cases, that makes no sense since the website might change any day,
> making your code useless.

What do you think youtube-dl does all the time? And yet people still
benefit greatly from their work. Do you think youtube-dl should be shut
down?

> Again, big single-page-webapps which are running soley on the client are a
> different story.

Those are even worse. Those especially should be free software or
avoided at all costs. Google Drive is the new Microsoft Office.

--
Caleb Herbert
OpenPGP public key: http://bluehome.net/csh/pubkey

quantumgravity
Offline
Joined: 04/22/2013

"That's not source code."
It's the code that gets executed in your browser, and again, for the average-joe website that just opens a dropdown menu or sends an ajax request to fetch, let's say, some posts from the database, this IS exactly what the author of the code wrote.
I talked about uglification later in my post.

"When you process source code, it's no longer source code."
Again, not every javascript code on websites is uglified or processed. Mostly the big common libraries are, like jquery, but they are all free software anyway.

"JavaScript also prevents users from doing basic tings on their
computers, like highlighting text with their cursor while reading an
article. A message popped up and told me "You can't do that!" "
You could open the console and delete the event handler. Again, it's annoying, and I never claimed that website owners can't do annoying things with javascript. But why then even use their website?

The crucial thing to understand is that modern websites are not like normal programs. They consist of html/css markup, client side javascript and server-side api services.
All those things together form the experience of the website. Or you could say: it's composed of displaying/layout functionality, data processing functionality and the data itself.
We don't own the data, it's not ours. We can also not controll the server side processes nor own we the copyright for the layout/markup. Javascript is one way of how websites can annoy us or make the service a miserable experience.
Why was your website able to prevent you from marking the text? Because the browser is allowing this feature, and this may be indeed controversal.

"What do you think youtube-dl does all the time?"

Clearly not providing a modified version of youtubes javascript that I can run as a replacement. Otherwise I could load it in my browser and run youtube with the modified version. I can't.
Imagine all of youtubes javascript code - all the bits and pieces scattered throughout the dom - was free and you want to write a modification and share it with others. Good luck!
It's their right to change their DOM and Backend API every single day, it's not even unethical.
Then all you would go to waste (not that it was feasable to do in the first place).

calher

I am a member!

Offline
Joined: 06/19/2015

Hm, it seems we disagree on some basic points. My work is done.

quantumgravity
Offline
Joined: 04/22/2013

That's alright. Different viewpoints add to diversity.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Judging exclusively from what I've read so far the situation is actually far worse than mate quantum describes. First of all, it appears that I would say 99% of tracking techniques rely heavily on javascript, and by heavily I mean they will not work if js is disabled. If EFF's study on fingerprinting is correct we can safely conclude that javascript can give away so much information about your hardware as to, often, uniquely identify it.

This is privacy though, security is another thing. Well, it appears that again javascript is a quite large attack vector.
After all escaping the same origin policy or the sandbox is no science fiction and it has been done many times in the past. Fortunately your browser gets patched often against known vulnerabilities. Cross site vulnerabilities and forgeries can also be used. Noscript is an awesome addon for this. Buffer overflows combined with malicious scripts can pwn ur browsy. It doesn't happen often but it does happen.
Basically here it seems to me, and I might be wrong, you are trusting a sandbox with malicious software that can do a lot of harm to your browser and in some cases even more.

Besides, browsing the interwebs with js disabled is an awesome experience. And I mean it. I have been doing so for years (only few websites allowed), you would be surprised how much shit gets cut out and how clean and functional a website is (well, when it works :P), no crap, no ads, no slowdown, less fingerprinting. Why not?

Noscript is currently the only addon I have installed :)

calher

I am a member!

Offline
Joined: 06/19/2015

> How dangerous is javascript when browsing?

JavaScript is how a lot of people lose protection on Tor.

Personally, JavaScript programs have put me in the following situations:

* unable to highlight text in article with cursor
* unable to copy text in article with Ctrl+C
* pop-ups
* fan acceleration
* kernel panic (I'm looking at you, Twitch!)

> Does anyone in this forum browses the Internet with a javascript-disabled
> browser?

I do most the time.

> Or maybe you just disable it when you are visiting a website you don't trust?

Even if I can assume a JavaScript program is not malicious, I still
refuse to run it because it is proprietary software. My only exceptions
are free JavaScript, job applications, and Reddit.

Also, if I just installed a new system and haven't bothered setting up
AVideo (youtube-dl without DRM or background JS execution) I will
temporarily use YouTube's proprietary embedded player if I'm certain the
video won't be blocked by DRM when I go to download it with AVideo.

More info about AVideo: https://notabug.org/GPast/avideo

> What does the LibreJS add-on do?

LibreJS is pretty neat. It tries to automatically detect if the scripts
embedded in a page are under a free license.

Unfortunately, this only works on a tiny amount of sites, and even GNU
projects like GNU Taler have issues getting their site to pass LibreJS.

However, the practices required by LibreJS aren't just stupid
requirements of LibreJS. They're actually probably the only way you
could legally distribute embedded JavaScript if it is under the GNU
General Public License.

In addition, it's really the only polite thing to do. Everything else
on a website has copyright information at the bottom of the page, so why
do people just neglect the copyright information on embedded scripts?
It's only logical that there is a page on the site disclosing ALL
copyright info to readers, incl. copyright on scripts.

People may hate LibreJS because it does not work at all and probably
never will, but everyone should be telling site owners to be transparent
about the copyright information of the programs embedded in their pages.
Composing an email to ask about copyright is a lot more work than just
going to the bottom of the page to see copyright notices.

> Does it make web browsing safer?

Yes. It prevents crashing from heavy web apps, and it limits what
Facebook and other malicious sites can do when you type stuff in their
forms. (They can't use JS to log keystrokes you never publish.)

> Once I get some answers here I may understand Zeronet dangers [1].
>
> Thank you.
>
> [1] https://trisquel.info/en/forum/zeronet-and-javascript
>

--
Caleb Herbert
OpenPGP public key: http://bluehome.net/csh/pubkey

ADFENO
Offline
Joined: 12/31/2012

A minor correction also: The practice of distributing any JavaScript
requires a license notice as described by the license text.

For example, in the case of Modified BSD License (3-clause BSD), "MIT
License" (Expat License or sometimes X11 License), the license text
itself says one has to use the full license text as its notice.

I have made a quick comparison on the length of the license notices (not
the topmost part, which is the copyright notice) and so far the latest
versions of {AGP,GP,FD}L are better both in terms of license notice and
in terms of end-user protection.

2017-11-24T15:19:09-0600 Caleb Herbert wrote:
>
> JavaScript is how a lot of people lose protection on Tor.
>
> Personally, JavaScript programs have put me in the following situations:
>
> * unable to highlight text in article with cursor
> * unable to copy text in article with Ctrl+C
> * pop-ups
> * fan acceleration
> * kernel panic (I'm looking at you, Twitch!)
>
>
> I do most the time.
>
>
> Even if I can assume a JavaScript program is not malicious, I still
> refuse to run it because it is proprietary software. My only exceptions
> are free JavaScript, job applications, and Reddit.
>
> Also, if I just installed a new system and haven't bothered setting up
> AVideo (youtube-dl without DRM or background JS execution) I will
> temporarily use YouTube's proprietary embedded player if I'm certain the
> video won't be blocked by DRM when I go to download it with AVideo.
>
> More info about AVideo: https://notabug.org/GPast/avideo
>
>
> LibreJS is pretty neat. It tries to automatically detect if the scripts
> embedded in a page are under a free license.
>
> Unfortunately, this only works on a tiny amount of sites, and even GNU
> projects like GNU Taler have issues getting their site to pass LibreJS.
>
> However, the practices required by LibreJS aren't just stupid
> requirements of LibreJS. They're actually probably the only way you
> could legally distribute embedded JavaScript if it is under the GNU
> General Public License.
>
> In addition, it's really the only polite thing to do. Everything else
> on a website has copyright information at the bottom of the page, so why
> do people just neglect the copyright information on embedded scripts?
> It's only logical that there is a page on the site disclosing ALL
> copyright info to readers, incl. copyright on scripts.
>
> People may hate LibreJS because it does not work at all and probably
> never will, but everyone should be telling site owners to be transparent
> about the copyright information of the programs embedded in their pages.
> Composing an email to ask about copyright is a lot more work than just
> going to the bottom of the page to see copyright notices.
>
>
> Yes. It prevents crashing from heavy web apps, and it limits what
> Facebook and other malicious sites can do when you type stuff in their
> forms. (They can't use JS to log keystrokes you never publish.)
>

--
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
(apenas sem DRM), PNG, TXT, WEBM.

calher

I am a member!

Offline
Joined: 06/19/2015

What?

LibreJS standards were DESIGNED to answer "What would true GPL
compliance look like with JavaScript?"

chaosmonk

I am a member!

I am a translator!

Offline
Joined: 07/07/2017

> They're actually probably the only way you
> could legally distribute embedded JavaScript if it is under > the GNU
> General Public License.

Onpon4 makes some good points on this here: https://onpon4.github.io/other/kill-js/

> and it limits what
> Facebook and other malicious sites can do when you type stuff in their
> forms. (They can't use JS to log keystrokes you never > publish.)

I find this is the quickest way to convince non-techie people that non-free JavaScript can be dangerous. It doesn't hurt to also mention that *what* you type isn't all a site can get from your keystrokes. https://www.secureauth.com/products/secureauth-idp/behavioral-biometrics

calher

I am a member!

Offline
Joined: 06/19/2015

> > They're actually probably the only way you
> > could legally distribute embedded JavaScript if it is under > the GNU
> > General Public License.
>
> Onpon4 makes some good points on this here:
> https://onpon4.github.io/other/kill-js/

I agree with much of her article, but I think LibreJS still has a place.

Basically, people need to start working on extensions to operate
websites with the extension's JavaScript and not the site's JS, and
LibreJS can be used in emergencies when an extension hasn't been found.
The system's package manager (Guix) can manage extensions in the back
end.

The LibreJS standard, as I mentioned before, is mostly important to
HUMANS: so regular people can look at the copyright info and go "oh, ok,
looks good. I'll run those."

--
Caleb Herbert
OpenPGP public key: http://bluehome.net/csh/pubkey

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010