Harmful effects of non-free JavaScript

26 replies [Last post]
andrew
Offline
Joined: 04/19/2012

Hi all,

I've read a few topics on non-free JS on the web, as well as a page from
the FSF
(https://www.fsf.org/blogs/community/take-action-for-free-javascript),
so I thought I'd start a topic for the harmful effects of non-free
JavaScript. The main problem at the moment is that many users (e.g.
Slashdot users) aren't convinced of the harmful effects of non-free JS.
I've listed a few of them below, and hopefully others here can add and
contribute to the list. :-)

Tracking

JavaScript can be used to enable some tracking mechanisms, like plugin
and browser feature detection to determine browser uniqueness. Google
and Facebook use non-free JS to do URL switching on some of their
webpages, so that the JS onclick event sends the user to one of their
redirector/tracker URL before going to the real URL (see
http://www.h-online.com/security/news/item/The-trick-behind-camouflaged-links-1828927.html).

Facebook has a "hovercard" feature which uses non-free JS to send an
AJAX notification to Facebook every time a user hovers over someone
else's profile picture. They also have a read receipt feature which
tells Facebook and other users when you have read a private message on
Facebook, based on whether your browser has scrolled to a certain place
in the conversation.

It's possible for a malicious non-free JavaScript to do keylogging (see
http://arstechnica.com/security/2012/12/how-script-kiddies-can-hijack-your-browser-to-steal-your-password/).

Freedom to control your computer (and free culture)

Some websites like YouTube require the use of non-free JavaScript for
accessing videos by default. Many lyrics websites use non-free
JavaScript to stop users from making a private copy of the lyrics of a
song onto their computer. This tramples the right to fair use (or fair
dealing, depending on your country) and opposes the principles of free
culture.

Advertising and annoying/intrusive JavaScripts

Some websites use non-free JavaScript to display intrusive ads on user's
computers when they are browsing the web. Some annoying websites use JS
to break the normal back button behaviour, sometimes by displaying a
message box asking if the user really wants to leave the page. Comcast
uses non-free JavaScript to display copyright alerts to users suspected
of file sharing (see
http://arstechnica.com/tech-policy/2013/02/heres-what-an-actual-six-strikes-copyright-alert-looks-like/).
At least a few of the non-free JavaScript notifications in this news
story prevent users from using webpages until they sign in to confirm
they read the notification (or use HTTPS, to prevent the script from
being injected in the first place).

Accessibility

It would be great if any users with disabilities could comment on
whether non-free JavaScript can prevent them from reading a webpage, and
whether it is possible to write free JavaScripts which have equivalent
functionality can be accessible.

Does anyone have any comments, additions, criticisms, further discussion?

--
Andrew Roffey
OpenPGP fingerprint: F9E6 E6C4 0080 85F4 0E30 B0D9 7F7B DC7F 9657 B073

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010
andrew
Offline
Joined: 04/19/2012

On 01/06/13 19:56, Michał Masłowski wrote:
> Why wouldn't the same problems occur with free scripts? Disabling
> all JavaScript not on some "trusted" sites that need it would
> solve them. (Although most of these problems can be implemented
> differently to not use JavaScript.)

Yes. I think a better approach is needed than trusting websites to
specify a license themselves. Technical solutions are often better than
legal ones. More on this below...

> I think free JavaScript would be better by allowing users to study
> how it works and modify it, so modified browsers could run their
> replacements instead of the scripts provided by the site or other
> tools could access the same data (e.g. video download scripts).
> (There are more benefits with useful scripts or if the user has
> their own site.)

I agree that this is one approach, and perhaps a good one. I think it is
necessary, but perhaps not a complete solution on its own.

I think that in the case of JavaScript, code signing could potentially
be useful. For example, web browsers could distribute signatures of
verified common JS code (e.g. jQuery), and also allow webpages to
include JS signatures for scripts on the page. A web browser user could
then choose to trust people or groups (like a group dedicated to signing
only free JS) so that only signed JS is run in the browser. JS code
signers could simply not sign malicious scripts, and so browsers with
code verification capabilities could simply ignore the those scripts.

> (I'm not a Web developer and I consider the approach of running
> programs From any visited Web site a mistake.)

I do agree.

The other solution is to not use JavaScript. But, although that might be
feasible for myself at the moment, I don't think it's a good solution
for the general population. Too many people rely on JavaScript these days.

--
Andrew Roffey
OpenPGP fingerprint: F9E6 E6C4 0080 85F4 0E30 B0D9 7F7B DC7F 9657 B073

aloniv

I am a translator!

Offline
Joined: 01/11/2011

Slightly off topic: it seems that in many cases JavaScript is used when it isn't needed and thus the resources required to view websites grows. For instance, many TV guides require JavaScript, and only few do not (such as the Guardian website which works without JavaScript).Also 1-click downloaders usually require JavaScript (aside from a few: movreel, billionuploads (usually), 180upload (sometimes depending on the file) ). A basic captcha without requiring JavaScript should suffice (to preserve bandwidth for the website).

quantumgravity
Offline
Joined: 04/22/2013

Proprietary Javascript is bad, but in my opinion the situation is quite similiar to the bios problem: no acceptable solution possible at the moment.
As I learned, LibreJS works inconvenient, noscript doesn't quite hit the problem and the fsf campaign is a very good thing, but it aims to change the behaviour of the web developers, so they want to change the whole web.
This will not be achieved tomorrow or in five days.

So what to do by now?
I think using noscript is a good way to embank the problem.
Not a solution, but an improvement of the situation.

onpon4
Offline
Joined: 05/30/2012

Part of the problem, I think, is that Javascript programs aren't run the same way other programs are. They are silently downloaded and executed seamlessly, which means there isn't a conscious choice by users to run them. Many users don't even know it's there.

The only acceptable solution is for web browsers to not execute Javascript this way. The browsers need to ask users for every Javascript file, offering to show the source first, and then "install" each script that is accepted locally. This should be by individual script, not by domain like NoScript. If the script changes, the browser should ask again about it, not silently assume that the user accepts it just because a previous version of the same script was accepted.

icarolongo
Offline
Joined: 03/26/2011

This is difficult. Some websites have more then 10 JavaScript files. You need to agree or disagree many window dialog.

onpon4
Offline
Joined: 05/30/2012

Yeah, that's the hugest barrier, but I can't think of any other solution. It's unacceptable for us to just trust web hosts to not give us nonfree Javascript, and automatic detection of whether or not a script is free isn't a solution either even if it does it well (what if the website uses free Javascript, but includes malicious features figuring no one will notice?).

Websites just need to stop using so much Javascript.

Of course, when you have a Javascript file accepted, it should be accepted for all websites by default for better convenience; if you accept jQuery on site A, you probably accept it on all sites.

ssdclickofdeath
Offline
Joined: 05/18/2013

Even on trisquel.info, LibreJS says to "COMPLAIN!" about non-free javascript, and I'm sure that any JS on trisquel.info is free.

andrew
Offline
Joined: 04/19/2012

On 02/06/13 03:27, name at domain wrote:
> Even on trisquel.info, LibreJS says to "COMPLAIN!" about non-free
> javascript, and I'm sure that any JS on trisquel.info is free.

THere is a bug report here:
https://trisquel.info/en/issues/8238

Drupal's JavaScript should be free in theory, but customisations don't
have to be. But the Trisquel website currently doesn't mark its scripts
as free, so LibreJS isn't running them.

> Does thinkpenguin.com contain only free JS?

ThinkPenguin.com seems to use Drupal, so most of it might be free. But
it also uses Google Analytics, which is non-free JavaScript.

--
Andrew Roffey
OpenPGP fingerprint: F9E6 E6C4 0080 85F4 0E30 B0D9 7F7B DC7F 9657 B073

lembas
Offline
Joined: 05/13/2010

>ThinkPenguin.com [...] uses Google Analytics, which is non-free JavaScript.

Now that's a shame, there are many free alternatives available, like Piwik or Open Web Analytics.

ssdclickofdeath
Offline
Joined: 05/18/2013

Does thinkpenguin.com contain only free JS?

Spinoza
Offline
Joined: 07/07/2013

I thought Trisquel was ONLY Free Software. Why are they using non-free JS in Abrowser ? Or AM I WRONG ??

Dave_Hunt

I am a member!

Offline
Joined: 09/19/2011

I don't know where the non-free JS is in abrowser, per-se, but sites you
visit may use non-free script. This code will run in abrowser when the
site in question is being rendered.

akirashinigami

I am a member!

I am a translator!

Offline
Joined: 02/25/2010

Many websites contain nonfree JavaScript. Abrowser will run this JavaScript code by default, but this code is not provided by Trisquel; it's provided by the websites that host it. Trisquel contains only free software.

onpon4
Offline
Joined: 05/30/2012

Trisquel doesn't include nonfree software. A lot of websites, though, silently install Javascript code into your browser. The way it works is the website requests to load a Javascript file and the browser usually loads it transparently, without telling the user what's going on.

Unfortunately, several websites depend on proprietary Javascript code to operate correctly.

The only solution to this problem is to tell the browser to not run the nonfree Javascript code requested by websites. The simplest way is to disable Javascript in the browser itself, but this also disables free Javascript code, so it creates more of a hassle. That leaves LibreJS and NoScript. LibreJS attempts to filter automatically and only run free and trivial code, but it's horribly imperfect and has weird bugs that mess with the browsing experience in other ways. NoScript requires manual work.

So, short answer: if you want to deal with this problem the easy way, either disable Javascript in the web browser or install LibreJS. Just note that many websites will break. If you want better, more fine-tuned control over what Javascript code is allowed to run, use NoScript and start by emptying the whitelist (it whitelists some sites which host nonfree Javascript by default). Unfortunately, there isn't a better solution at this time.

ssdclickofdeath
Offline
Joined: 05/18/2013

Why would there be any difference of your computer executing nonfree code (Javascript) or the remote server executing it for you? (PHP and other languages)

andrew
Offline
Joined: 04/19/2012

On 09/07/13 08:37, gameboyab wrote:
> Why would there be any difference of your computer executing nonfree
> code (Javascript) or the remote server executing it for you? (PHP and
> other languages)

JavaScript can reveal more about you and your web browser than is
revealed through HTTP.

Andrew.

onpon4
Offline
Joined: 05/30/2012

PHP is different because of the way it works. What that does is, when you request a web page from their server, they take that PHP page and execute some code to create an HTML file which is then sent to you. It makes no difference to your freedom what is done to that page; you asked for a page and you got one. It's not unethical for a server to execute code on itself to decide what exactly to send you.

ssdclickofdeath
Offline
Joined: 05/18/2013

What about things like a server-side game, or a calculator?
I know that those things are usually done in Javascript, to reduce server load.
Would that just be SAAS?

andrew
Offline
Joined: 04/19/2012

On 09/07/13 09:04, gameboyab wrote:
> What about things like a server-side game, or a calculator?
> I know that those things are usually done in Javascript, to reduce
> server load.
> Would that just be SAAS?

Yes, they are examples of SaaS. If it is done in JavaScript, then it is
running on your computer, so you should be able to control that. If the
JavaScript program is using AJAX then it is a software + SaaS combination.

Google Docs and the latest MS Office are both examples of software +
SaaS combinations (the latest MS Office now "integrates" with SkyDrive).

Andrew.

GNUUUU
Offline
Joined: 02/22/2011

Nobody answered (https://trisquel.info/en/forum/prism-break-trisquel-and-free-software#comment-36987), so i'm posting it here to see if i'm luckier this time:

Hi, i only browse the internet with JS disabled:

1) Do i still need NoScript? (apparently yes: Java, WebGL, etc)

2) Because of JS disabled i end up viewing a lot of pages in No Style mode. The problem is that when i open a link in a new tab it goes back to Basic Page Style. I want it to happen only when i select it again. I searched about:config and the web but i couldn't find the solution

Thanks

onpon4
Offline
Joined: 05/30/2012

NoScript does things other than disable Javascript, but it's not really all that useful if you have Javascript disabled. WebGL is just a Javascript API, and Java can be disabled in the add-ons manager.

quantumgravity
Offline
Joined: 04/22/2013

I recognize that using librejs leads to huge restrictions and breaks many websites.
Can't do my online banking with it, can't use most shops.

andrew
Offline
Joined: 04/19/2012

On 09/07/13 19:38, shiretoko wrote:
> I recognize that using librejs leads to huge restrictions and breaks
> many websites.
> Can't do my online banking with it, can't use most shops.

You have a few options with regards to banks:

1. You could use phone banking. You might have freedom that way, but
there is potentially less security this way (no end-to-end encryption
between yourself and the bank).

2. You could try and find out if your bank has a mobile interface that
doesn't rely on JavaScript. I found out that this is the case for one of
the banks I use.

3. You could go old fashioned and see if your bank can send your
statements via mail, and use direct deposits or cheques instead of
electronic banking.

4. You could change banks (which could be inconvenient).

5. If none of the other options, you could do your banking in a separate
browser, through a proxy, with a different user agent string to avoid
connecting your other web browsing to your banking and shopping. It is
not an ideal solution as you are still running non-free JavaScript.

Andrew.

quantumgravity
Offline
Joined: 04/22/2013

Thank you very much for your advices. Unfortunately, this is only the tip of the iceberg (hope this expression exists in english).
My experience with LibreJS is that half of the web breaks up.
Openstreetmap doesnt work (though one can use marble, a browser implemented function would be nice); you can't check out with paypal; lots of sites for searching appartments or cars etc. don't work.
You can't enter most adult sites (come on, someone has to say it).
I think it's really disastrous for the free software movement that the web evolved this way.

But can we really hope to change the whole web?
And can this be done with a "non-free javascript-complain" button?
The problem with non-free bios seems a small one, compared to this.

lembas
Offline
Joined: 05/13/2010

>hope this expression exists in english
It does.

>I think it's really disastrous for the free software movement that the web evolved this way.
Agreed.

>But can we really hope to change the whole web?
We already did it once. When Micro$oft Internet Explorer had 95% share of web browsers we were really, really close to the situation that one could not browse the net with anything else since "webmasters" didn't follow w3c standards but proprietary M$ garbage.

This is a big challenge but it's about time we start to tackle it. It's only consistent with our principles of software freedom.