Why comes Abrowser without Noscript / Librejs?
- Inicie sesión o regístrese para enviar comentarios
Hello,
since Abrowser is the default webbrowser in trisquel, it should not execute tons of proprietary programs by default.
I think it's absolutely necessary for a free distribution to provide its standard browser with librejs or noscript.
The best solution would be noscript and a few free-javascript-only sites on the whitelist.
The page www.openweathermap.org for example provides almost only free javascript if noscript just allows the scripts from openweathermap.org, jquery.com and openlayer.com;
the google-crap gets blocked.
A few small pieces of unlicensed javascript code remain, but perhaps they can be considered as trivial.
LibreJS would not offer the possibility to use this site in freedom, though it's possible.
So what do you think?
A unchanged version of firefox with librejs is, in my opinion, less harmful than abrowser without any protection from non-free javascript.
First one recommends proprietary programs, second one executes them silently without anyone knowing!
I'm guessing NoScript and/or LibreJS aren't installed by default since they are not "newbie friendly". If Trisquel wishes to prevent loading non-free code it should also not provide Gnash which (usually) requires non-free ActionScript.
Simple reason is because that would break the vast majority of websites by default. NoScript is a poweruser / control freak utility, and forcing it down the throat of new users seems like a rather unhelpful move. =x
More to the point, I fail to see the difference between JavaScript regular ol' HTML and CSS. End of the day, it's just a language being interpreted by the browser. Should we also refuse rendering web pages if they don't have the proper freedom wrappers or if they're "nontrivial"?
> Simple reason is because that would break the vast majority of websites by default. NoScript is a poweruser / control freak utility, and forcing it down the throat of new users seems like a rather unhelpful move. =x
Well then, why not add some proprietary blobs to trisquel. Otherwise, many hardware won't be supported, and this will certainly be a rather unhelpful move because newbies are frightend?
I don't think this is a good argument.
> More to the point, I fail to see the difference between JavaScript regular ol' HTML and CSS.
You're wrong.
Html is just a markup language; Your browser reads the code and "paints" the website. "Display a table here, make this border white etc..".
Javascript is a script language. The browser loads the program on your disc, and your pc starts *executing*.
Technically, html and javascript are definitely not the same.
The difference is that blobs is an nasty security risk as there is no real way to know what they're doing.
JavaScript (in theory, mind) is an interpreted scripting langauge sandboxed by the browser.
Admittedly you can obfuscate it quite a bit, but that holds true for any code, free or otherwise, and it's still just source code you can look at to figure out what it does.
Of course, if you're coming at this from an all or nothing "software ethics" viewpoint, that's another matter, and I personally can't get particularly worked up about that, nor do I think being that heavy-handed with new users is in any way productive.
Yes, HTML is a markup language. It's a document. And according to Stallman, any "work", textual or otherwise, that is used for a practical job should be free.
So maybe you should develop a libreHTML plugin that checks if online manpages or instructions on a forum or some other form of how-to or manual is properly licensed?
Honestly now, at some point this just gets downright silly and you might as well not use the web at all.
Hell, without JavaScript most of it is unusable anyway.
Since, Java Script, as you say, plays in the sandbox, What are some
potentially destructive things it could do if left running?
> Yes, HTML is a markup language. It's a document. And according to Stallman, any "work", textual or otherwise, that is used for a practical job should be free.
That's the point with pure html: you're not doing any practical work with it.
You're just looking at it, like at a picture or a book.
Javascript does practical work.
No need for LibreHMTL.
Of course Javascript in the browser can't be just as harmful as a binary blob, I agree with you on that.
But I don't think non-free javascript is just an issue for the "special freedom geeks";
The free software movement is not just about protecting users from maleware.
It includes a different issue, and sometimes we have to talk about principles.
I don't want any huge javascript program to be executed on my pc;
look at all the websites.
They're overloaded with unnecessary and obfuscated jscode from advertising sites or google.
Owner of websites treat people like dirt, saying: swallow this and this and execute it on your pc; don't ask what it's actually doing.
This is not ethical, and we must refuse to use it.
I don't want any newbie being shocked by a broken non-js web experience, just like you.
But what I wrote above is not what I expect to happen when running a 100% free system.
It's not what I call using my pc in freedom.
If we work together and create a whitelist for the most important pages, things aren't so bad;
"Most of the web is unusable without javascript" is exaggerated and talking about non-free javascript, it is much exaggerated.
Oh sure you are. HTML = Structured textual content, key word being "content". A textbook or a manual can be written in HTML, and you use that for a practical job.
This is more or less semantics though, and obviously I agree there's no need for libreHTML.
Well, in an ideal software world I'd agree, but the simple fact is the world isn't all that ideal, and at some point ones has to compromise.
For instance, most of us agree that a non-free bios is an acceptable compromise in a computer, maybe partly because the BIOS is an old relic that can't really do too awful much. In contrast to, say, UEFI or Intel vPro, which I think we can all agree to avoid like the plague.
That said, of course I agree with the principle, and I personally use NoScript for that exact purpose, and I would advise any power user to do the same, but that's a whole other thing from making it the default for everyone.
As an example, when I set up the browser for grandma, it was JavaScript and cookies enabled, and gnash and java disabled, along with adblock.
Which to me seems like a reasonable compromise for maintaining functionality, at least for now.
Maybe I'd do this differently if there was a good whitelist-based solution out there.
> Oh sure you are. HTML = Structured textual content, key word being "content". A textbook or a manual can be written in HTML, and you use that for a practical job.
Well then the *content* of this textbook has to be free, not html which is just about the layout.
If I make a site where I tell people about my secret ninja technique, this information should be free.
It doesn't matter if my html file containing beautiful tables and borders isn't free.
I think you misunderstood stallman in this point.
He says the practical information has to be free, not the way it is arranged (and this is the only thing html does, arranging), and I agree with him.
Not quite sure I agree with that, as the HTML by strict definition IS the content of the web, or in a looser sense a superset consisting of the content coupled with the metaphorical glue needed to render it properly.
Maybe this is a good place to make a linking exception joke. =P
But think that's enough semantics for one day, long as we can all agree that silly cat videos are purely artistic works that have no need to be free I suppose it's all good. xD
HTML does not include the Web. It is a markup language. Period. The content of the Web pages a user visits is not Trisquel's business. Trisquel aims to provide an operating system where the user would never accidentally run or be invited to run proprietary software. That means, in particular, that the user enjoys freedom 0: "the freedom to run the program, for any purpose". When the program is a Web browser, the user must therefore be free to read whatever she wishes to. Including proprietary manuals. In the same way, Trisquel should not (and does not) implement technologies that aim at preventing the user from running proprietary software. Those would be DRMs! And no, that is not in contradiction "with providing an operating system where the user would never accidentally run or be invited to run proprietary software".
JavaScript scripts are not content. They are programs that are executed on the computer of the user (not on the Web server). When such a script is obfuscated, it is proprietary software. Indeed, among the four freedoms defining a free software, the freedoms 1 and 3 require an access to the source code and having an access to an obfuscated code is, for the practical matter of exercising freedoms 1 and 3, the same as not having access to the source code.
Unlike the BIOS/EFI, it definitely is possible to use, today, a computer (and the Web) without executing obfuscated JavaScript. Like all proprietary software, Trisquel should prevent the user from accidentally running it (but not technically prevent her to do so).
LibreJS looks like the right solution. Unfortunately, it is far from perfect and frequently goes in the way of reading Web pages with non-obfuscated JavaScript (which is not problematic). I am not not sure whether that significant issue makes LibreJS worse than the problem it solves. Indeed, LibreJS could discourage many users who want an operating system that is not only free but also usable.
Here's an idea I had reading your post: what if there was an extension which, instead of automatically blocking all scripts, simply informed the user of the problem of proprietary Javascript (including a mention that not accepting the code may break the page), asked if scripts should be allowed for the page or not with a checkbox to remember the decision, and suggested installing NoScript for more fine-tuned control? This would at least prevent people from accidentally running nonfree Javascript without knowing that that they're doing it without giving the appearance that Trisquel is "broken". It would also help raise awareness about the problem, even if most people choose to allow all Javascript code.
Sounds like a good idea, but most important is the possibility to allow/block particular scripts.
With this, many websites can be used without running nonfree js.
Web pages use much free javascript, this is not the problem.
But almost no site uses free javascript only, so we have to choose manually.
>non-obfuscated JavaScript (which is not problematic)
Maybe I'm reading this wrong but JavaScript is problematic unless it comes with a free license.
I don't know enough about obfuscation or JavaScript to compare a freely licensed obfuscated JavaScript to a freely licensed binary blob (which certainly is non-free).
And then there's the question whether minification is obfuscation as many pages come with huge scripts these days, JS might be bigger than even the image or style sheet content on some pages.
> Maybe I'm reading this wrong but JavaScript is problematic unless it comes with a free license.
Yes, I agree.
Non-obfuscated, non-free javascript is better than obfuscated one, but it's not enough.
> And then there's the question whether minification is obfuscation as many pages come with huge scripts these days, JS might be bigger than even the image or style sheet content on some pages.
Minification is no problem, as long as the JS file contains a link to a readable, well licenced code.
There remains the problem whether this is really the code I execute or not.
In my opinion, there must be explained how the code was converted, so that people can at least theoretically check if it's true or not.
This is necessary because we don't have the possibility to "compile" the code ourselves and run our own compiled version, like we can do with normal programs.
You two (lembas and quantumgravity) are perfectly right: the non-trivial scripts *must* be distributed under a free software license. And yes, the minimization step, if it exists, should be documented.
..Never said it did. Merely that it was used for web content.
And yes, yes, agree with the rest of your post, except that you CAN use a computer with a free bios, but generally that involves too many compromises for most people. Much like you CAN browse the web without javascript and you CAN run your own mail server and you CAN refuse to carry a cell phone, and so on and so forth, but the simple fact is that 99% of users won't do any of that, and making libreJS a default won't help them adopt free software.
Of course, considering Trisquel by default has gnash and *insert expletive here* JAVA plugins in the browser.. Pretty sure they should be bigger worries than some chunks of obfuscated javascript.
Agreed!
If Abrowser should come with noscript, it should be in "allow all" mode, so that it would only protect against cross-site attacks and such.
Now, of course, as I have said before in the forum, I don't have gnash or anything running, I prefer to use the bare minimum, but it was my choice, not something forced down my throat.
This is a complex situation, but it also seems to me that we have a discrepancy here between Trisquel's goals, as I understand them, and what happens in practice. As I understand Trisquel's purpose, the goal is to provide an OS that doesn't contain nonfree code, and never recommends any nonfree code, the ultimate goal being that you never execute any nonfree code unless you explicitely installed something out of Trisquel's control (some source code grabbed somewhere, some deb, some ppa...). However, currently, when you browse the web, you may end up executing a bunch of nonfree code (swf through gnash, nonfree javascript...), through no explicit decision of yours, besides entering an URL. Maybe it would be more consistent to disable gnash by default, and provide NoScript or LibreJS by default, so that executing nonfree code requires an explicit and conscious decision from the user? I am aware that this will break some websites, and people may end up whitelisting a bunch of stuff anyway, but isn't the purpose of this OS precisely to make people aware of where nonfree code lurks, and to block it by default?
As for myself, I currently use NoScript and whitelist the bare minimum. I am not very satisfied by this situation but it's the only way today to be able to access the content of certain sites.
Well put oysterboy.
I suggest that anybody who hasn't tried NoScript tries it right now.
A problem with that, is that NoScript actually blocks ALL javascript, free or not. And LibreJS is.... quite bad at knowing if Javascript is free or not. Basically it looks at the license, and in a unique way, so if you made free javascritp and didn't write it properly, LibreJS will block it.
So.... yeah, install NoScript but in allow all mode. Still gives you extra protection, and doesn't break the web ;)
>So.... yeah, install NoScript but in allow all mode.
I don't think this makes too much sense. The whole idea is to cherry pick.
> A problem with that, is that NoScript actually blocks ALL javascript, free or not.
Yeah, but this is only half of the truth.
Many websites use javascript from another url; like googleanalytics or jquery.
With noscript, you have the chance to allow websites that are ok and block this "external javascript" if it's non-free.
So it allows you a very restricted kind of "fine tuning".
LibreJS recognizes almost no free javascript at the moment and just provides the possibility to whitelist entire websites with every external url.
Does anyone know how to browse the javascript files (like it's possible with LibreJS) if noscript is installed?
The "debugger" of icecat doesn't show any javascript file if noscript is active; I have to disable it first and run the code before I check it, which is not what I want to do.
If you pull up the page html source, doesn't it have the links to the .js files in it? Just look for the text/javascript tags. =x
Oh well I'm a bit lazy you know ;)
Sounds like a lot of searching + copy and paste...
Another recommended add-on is RequestPolicy, which lets the user control cross-site requests. This is a good way to block access for example to Facebook.
Thanks for the suggestion. I'd been eyeing this and similar extensions before but only now I went ahead and installed RequestPolicy which seems excellent!
It's like getting to put gloves on when sorting through a giant smelly pile of garbage!
Hey guys, this prompted me to install librejs, but some of the sites I like to browse (math.stackexchange.com, reddit, 4chan) have trouble with it in various ways. Is there any big list of valid exceptions for librejs?
I've found that I can no longer look at maps on OpenStreetMap.org after installing LibreJS, even when I disable it on that domain. As soon as I remove LibreJS from Abrowser add-ons, the maps load again.
- Inicie sesión o regístrese para enviar comentarios