A repository for Free Javascript?
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
I really like LibreJS, and I like how it's allowing web developers a coherent way to free their javascript. I also feel much more secure running LibreJS, as it disallows nonfree javascript from running on my machine.
But even if a web developer conformed perfectly to the protocol of LibreJS and freed their javascript, it would still be trivially easy to insert malicious code into the javascript, and many users of LibreJS could still become the victims of malicious javascript code.
This is why I believe there should be a large repository of Free Javascript that web developers can borrow from.
For example, there is a ton of free software available for Trisquel users to install, but only a subset of that is available in the Trisquel repository. I, for one, almost exlusively install software from the Trisquel repository. And I'm extremely reluctant to install software that isn't, even if it *is* free software. I feel that once a program has made it into the Trisquel repository the likelihood of intentionally malicious code being inserted into a program becomes nearly nonexistant. It's also, likely, withstood the test of time to make it in the repo.
But there is plenty of alpha free software out there that isn't in the Trisquel repo. And that is considerably less secure. That is my analogy of javascript on websites. Even if it does conform to LibreJS it is still potentially highly insecure.
If there were a repository of free javascript and a corresponding browser extension that *only* loaded javascript that were in the repository, then we would have the added benefit of running javascript that is not only free, but also much more secure.
Thoughts?
I've also suggested this in the past,[1] and I agree completely.
Can't these programs be hosted on Savannah?
You basically want a CDN like cdnjs.com and jsDelivr, but hosting free/libre software only? The problem is that hosting files locally, instead of using a CDN, usually delivers best performance and privacy (as there are less DNS requests). If you want people to use your CDN, you also need to deliver great performance.
Note that both of the CDNs I mentionned host almost exclusively free/libre software, as most CSS/JavaScript libraries use the MIT/Expat or Apache licenses. There are notable exceptions though, like Highcharts and Highstock which use CC BY-NC-SA.
As a developer who uses JavaScript in the web, I'm curious why people think it's insecure? Can you tell me what features of JavaScript are insecure and how can one make malicious code with JavaScript run in a browser?
Web JavaScript code isn't like any other software you install on you computer, because it runs in a very restricted environment.
If there are known security issues concerning JavaScript running in a browser, then those issues should definitely be fixed on the side of the browser. Even if a web JavaScript is licensed as free software, that in no way insures it's secure and non-malicious.
As I browse the web most things I see done with JavaScript are very trivial and specific to that site. It doesn't seem useful to put everything in repository because there are too many scripts and most of them are very specific to one website. Non-trivial JavaScript code is used mostly in sites which offer SaaSS and those shouldn't be used anyway.
It seems to me that most people who worry about insecure web JavaScript are people who don't actually know how it works and what it does. Am I wrong?
That said, I think everything should be licensed as free software and compatible with LibreJS, even if trivial. Because, why hoard the code? Someone may find it useful.
On another note, what *Calinou* suggests is much worse than local non-free JavaScript, since all visitors will be tracked by a third party. Just like Google is doing in almost all sites right now. Connecting to third party sites is very bad for privacy, even if it's just images and CSS, but almost all sites are doing it, even FSF sites.
> As a developer who uses JavaScript in the web, I'm curious why people think it's insecure? Can you tell me what features of JavaScript are insecure and how can one make malicious code with JavaScript run in a browser?
Here's something https://noscript.net/faq#qa1_10 and here's some more https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
> If there are known security issues concerning JavaScript running in a browser, then those issues should definitely be fixed on the side of the browser.
It's the unknown vulnerabilities that are the real problem.
Well, not just a scripting language engines, but every online connecting program may possible be exploited to do something malicious, like escalating privileges. Things like cross-side scripting are disabled in any normal web browser, because they are know to be malicious.
The Mozilla's list of known vulnerabilities contains non-JavaScript things too.
I guess my point is, web JavaScript isn't inherently malicious, bad or insecure by design. It's just that browser developers may make mistakes or not be conscious enough about privacy, and this affects non-JavaScript not any less.
If there are known dangerous vulnerabilities with Mozilla's JavaScript engine, then I guess the only reasonable thing to do is to disable JavaScript for all sites - no exceptions. Again, things that should be fixed on the side of browsers.
> how can one make malicious code with JavaScript run in a browser?
JavaScript is a programming language, so of course it's possible to do something malicious with it. You can only limit the capabilities of a language so much before you start hindering its usefulness.
Fingerprinting is the most prominent example. Much of the Tor Browser Bundle's countermeasures against fingerprinting involve blocking certain JavaScript functionalities.
Also, JavaScript can be used to implement digital restriction mechanisms in various ways. I've encountered one example: a certain website I used to visit does things to stop people from using ad blockers. It does this by deleting the page's content if an ad blocker is detected. Recently, it went even further by requiring use of JavaScript to access the page, making the restriction mechanism more effective. I'm sure there are other examples of digital restriction mechanisms implemented with JavaScript.
I think I've heard somewhere that JavaScript is also used somehow to infect Windows machines with malware, but I never investigated that one and don't know if it's true.
> Even if a web JavaScript is licensed as free software, that in no way insures it's secure and non-malicious.
That's exactly why LibreJS's approach of license tags doesn't provide any meaningful guarantees. ;)
> As I browse the web most things I see done with JavaScript are very trivial and specific to that site. It doesn't seem useful to put everything in repository because there are too many scripts and most of them are very specific to one website.
I agree it's a lot of work, but so is convincing every Web developer to start conforming to LibreJS's license tags. And besides, this way it would be possible to actually replace proprietary scripts ourselves.
By the way, if a script truly is trivial (like setting an attribute, or perhaps whatever LibreJS defines as "trivial"), then there's no need to include it in a repository, and the browser should probably just allow all of these scripts to be executed by default (but still allow the user to block them by default, and override the default behavior in specific cases). But most websites don't only use such trivial code.
> Non-trivial JavaScript code is used mostly in sites which offer SaaSS and those shouldn't be used anyway.
You mean like Diaspora, Friendica, YouTube, Google Maps, Quitter (GNU Social), and Reddit?
I don't know, none of these are SaaSS, and I don't think all the JavaScript on these sites is trivial.
> Diaspora, Friendica, YouTube, Google Maps, Quitter (GNU Social), and Reddit?
Yes, apart from Google Maps, the use of JavaScript seem trivial and generic. They mostly use JavaScript just to load text using XMLHttpRequest() and put it on a page (comments, posts, etc.).
An Google Maps is definitely SaaSS! Why do I need to be constantly online and be telling Google everything, where I am and want go, so it can give me a map or calculate a route? This is something that my computer should be able to do too, offline, with a non-web program and a file of maps of cities I care for.
> I agree it's a lot of work, but so is convincing every Web developer to start conforming to LibreJS's license tags. And besides, this way it would be possible to actually replace proprietary scripts ourselves.
I just don't understand the usefulness of this - are people going to audit all the JavaScript on the web? Even keeping in mind that sites constantly update their scripts?
> JavaScript is a programming language, so of course it's possible to do something malicious with it. You can only limit the capabilities of a language so much before you start hindering its usefulness.
Well, I didn't mean "malicious" in this sense, as your example about the ads. You can easily ruin your site for your visitors without JavaScript too, as your example shows. :)
By "malicious", I mean doing things outside of making your own website suck, like taking private information of a your visitors' computers, making them send information to other sites on your behalf, or infecting computers.
> Fingerprinting is the most prominent example. Much of the Tor Browser Bundle's countermeasures against fingerprinting involve blocking certain JavaScript functionalities.
To be honest, I'm not very familiar with this issue. Maybe it has something with the other cookie-like capabilities JavaScript provides? If there are such issues, browsers should fix those.
There's some useful info on fingerprinting here: https://panopticlick.eff.org/
I'm a fan of https://cdnjs.com
But all your visitor will need to connect to cdnjs.com when they visit your site. In effect, cdnjs.com can spy the web, because their goal is many sites to use their service and hence visitors of various websites to visit cdnjs.com too. It's the same thing as Google's Analytics/Maps/reCAPTCHA/jQuery/YouTube/etc., Facebook's like buttons/comments/etc., and many others.
Doesn't anyone else see this as a big problem for privacy? How can you care about privacy on the web and think this is a good idea?
This is one of the reasons why the Expires header is used (for libraries
on CDNs, not tracking scripts/images): the CDN knows that you downloaded
the library, with one referer per year, the browser doesn't contact them
if you visit another page using the same library. If enough sites that
you use link to their copy of the library (same version, same library),
then this isn't a very useful fact about you.
I think the worstcase latency/reliability is a bigger issue with such
CDNs.
That seems better, but still a problem for privacy. For various reasons, like:
How can I differentiate between sites who will give a long Expires header, between those who don't.
I browse the web with the RequestPolicy plugin, so I don't have to constantly tell everyone what sites I visit, if I don't explicitly permit that. CDN services like this are real hindrance when you need privacy and browse in this way.
Sometimes I browse in private mode and there Expires headers aren't remembered between sessions, if I'm correct.
Just upload the script on your server, please. Especially if you think users are going to download the script once an year, like you suggest, then this wouldn't cost you anything.
- Vous devez vous identifier ou créer un compte pour écrire des commentaires