Do youtube-dl/HTML5 Video Everywhere run nonfree JS?
Does HTML5 Video Everywhere do the same thing in IceCat? It seems to work when I disable JS.
Then what does JSInterpreter do? What does youtube.py do with it?
It looks fishy, and I've seen discussions on the GitHub page about "fixing" support for a site by putting the JS through JSInterpreter.
Yes, that would be a good solution, I think.
A Windows 10 virtual machine is sandboxed. So what?
So your example is flawed, since Windows is rotten from the inside already.
JS in youtube-dl is used to get the video's ID.
How? We don't know exactly yet.
JS is problematic because:
- it gathers my data
- it can be executed on my PC, most likely to gather data anyway (regarding youtube)
JS is problematic if:
- it's proprietary (no access to what it really does)
- it's executed without limits.
Sandboxing can matter regarding the last point.
For example, simply firejailing youtube-dl should work to limit how much of my PC this program has access to.
Then there's the matter of linking my IP to whatever I'm watching/listening.
In theory, this only possible through TOR, using a convoluted process (download from the link I get from TOR, but only read the file when TOR is turned off).
But maybe a VPN is enough (even if it's not de-anonymizing) because why go through the effort of inspecting further if it costs too much ressources. Disclaimer: my reasoning probably isn't without flaws.
So this is the infamous JS interpreter.
I doesn't seem that bad, but I don't understandmost of it, so...
For example, I couldn't find those things imported at the top (after a glance).
The imports at the top are modules provided with Python: json provides tools for handling json, re is for handling regular expressions, and operator simply allows binary operations (e.g. x+y, x*y) to be expressed as functions.
As you, its capacity seems rather limited. With the caveat that my 'audit' didn't involve reading every single line of code to death, the interpreter's capacity seems largely limited to basic arithmetic and string operations, assignment, and function/class definitions. It also appears to be able to handle json dumps, although what exactly this involves is not apparent.
Overall, it could perhaps be argued it's no worse than allowing arbitrary CSS to run in the browser, since that already permits mathematical operations. However, this is certainly something to be wary of.
Interesting, thanks :)
I wonder whether it makes function calls to other files.
I'll try and roughly figure out those json dumps things.
As you, its capacity seems rather limited.
There are assignments, recursions, etc. That probably is enough for the interpreted language to be Turing-complete: https://en.wikipedia.org/wiki/Turing_completeness
The problem is not the interpreter but the code that is interpreted, which can be free or not (and can do anything a computer can do if the interpreted language is Turing-complete). But is the interpreter really taking arbitrary code from the Web?
>That probably is enough for the interpreted language to be Turing-complete
It seems to be so. On the other hand- and it's no excuse for running proprietary software- there doesn't seem to be a great deal of functionality: for example, there seems to be no way to communicate over the Internet, access a permanent data store, invoke third-party functions, and so on. It seems relatively harmless from a privacy/security perspective, though of course it wouldn't take much for that to change.
>But is the interpreter really taking arbitrary code from the Web?
Unfortunately, yes- perhaps not in actual usage, but it's set up to do so. The module containing the interpreter is imported by youtube_dl/extractor/youtube.py, and the function _parse_sig_js invokes that to run some code it's fed. The following block of code then calls that function with the source of a webpage it downloads:
if player_type == 'js':
code = self._download_webpage(
errnote='Download of %s failed' % player_url)
res = self._parse_sig_js(code)
This seems to be the only use of the system for YouTube (I haven't looked at other sites), and what exactly sets the player type to 'js' I don't know. It may be worth noting that there's also SWF interpreter, which is invoked very similarly to the way the JS one is (except with player type swf instead).
EDIT: Probably irrelevant, but a re-read suggests I forget the said in "As you said".
Someone wants to talk to you about this post. Could I give them your email address so they can talk to you about it?
If you can find it, for sure- although could you then please tell me how you found it? Otherwise, I'm afraid it's not possible to publish my e-mail address (spambots and what not). I'm still happy to discuss whatever is of interest with them, but it would have to be through some other means- potentially (though not necessarily) this forum.
Also, although I'm happy to discuss it, do be aware that I'm not particularly experienced with the issue. My expertise are largely limited to a (barely) functional knowledge of Python and enough time and patience to Ctrl+F and grep through a codebase.
I've sent the address to you. On the other hand, the does make a very good point. For confirmation/future reference, I'll post the address here:
gpast [underscore] panama [at] protonmail [dot] com
Well, I just asked on their IRC channel..
einstein95> What do you mean
RiCON> limbo_: make a page that prints the result from "youtube-dl -J ", done.
einstein95> Have a look at the code and see for yourself
SuperTramp83> einstein95, unfortunately I am not able to do that but I'm interested in finding out if it does. I'd like to know if it is bad for muh freedom..
einstein95> What freedom
einstein95> All it does is run a bit of JS to get the video signature
SuperTramp83> I see. so the answer is yes, it does run some non-free js. tx
einstein95> Nothing worth seriously worring about
Thanks SuperTramp :)
To get the video signature, huh.
Question remaining is, how does it run that said JS.
30 matches for the word "signature" in that youtube.py.
This isn't easy to understand.
Seems it's also atline 960, 964.
And maybe line 1049, as mentioned by OP.
Thank you for all your help.
So, where do we go from here? Is it possible to view YouTube anymore? Do we need to encourage people not to post YouTube links now?
Possibly, but that hasn't been established here. It's clear that using the YouTube interface provided by Google requires JS, and that youtube-dl uses it, but I'm not sure if that extends to all other video download/viewing tools. There's some mentioned in https://trisquel.info/en/forum/you-cannot-watch-youtube-libre-software-computer: ViewTube and VLC are two worth a look.
>So, where do we go from here? Is it possible to view YouTube anymore? Do we need to encourage people not to post YouTube links now?
In regards to viewing YouTube, it is still possible: see above. As for posting links, that's by corollary not necessarily an incitement to submit to Alphabet Corporation. That said, linking to alternative sources where possible would be ideal. Posting to YT, of course, is strongly advised against, as the cost in privacy and security is a significant one.
So, it is bad.