Why does it take several whitelisting and reloads to whitelist all JS in LibreJS?

15 respostas [Última entrada]
panties
Desconectado
Joined: 02/02/2021

I'm in the process of creating a Protonmail account on Torbrowser and Abrowser.
I have asked Protonmail why they don't support LibreJS, but they replied that it is not a problem since they have published all the JavaScripts they use on Github.

Apart from that, this doesn't just happen on the Protonmail site, but first a page is loaded and the number of blocked JS is displayed on the LibreJS icon.
Click on the "WhiteList" button at the top and reload the page. In most cases, this single action will allow you to view the page with little or no interference.

However, occasionally, after whitelisting and reloading, some JS will be blocked anew. These are not whitelisted even after pressing the "whitelist button" and reloading again.
So you have to click the "whitelist" button of each blocked script one by one.
In the past, all JS were whitelisted after repeating this process a couple of times, but for this Protonmail account creation page, no matter how many times I try, the JS that I need to whitelist appears every time. And because of this, I can't proceed with the account creation.

First, what is the reason I have to whitelist and reload several times sometimes?

Also, this time I can't whitelist all JS on Protonmail website, what is the cause of this?

Is there any problem in completing the account creation only on their .onion site?

https://mail.protonmail.com/create/new?language=en

andyprough
Desconectado
Joined: 02/12/2015

If you are just whitelisting most js that you run into, then you are defeating the purpose of the extension and there's no reason to use Librejs. Use noscript instead. It will work perfectly with Protonmail.

panties
Desconectado
Joined: 02/02/2021

Come to think of it, I've wondered a few times why a website is working properly when Noscript is turned on. It's installed by default on TorBrowser.
Protonmail website worked after I turned off Librejs, even though Noscript was turned on. But they asked for the "ARE YOU HUMAN?" on the way, either by providing credit card information or the mobile phone number, so I quit creating an account.
Why the website worked with Noscript? I had had the impression that Noscript was stricter than Librejs. It anyway blocks all JavaScript was my understanding.
And why whitelisting JS of their website with Librejs did not work despite while Librejs allows JavaScript that is free and/or trivial?

andyprough
Desconectado
Joined: 02/12/2015

Neither noscript nor Librejs is blocking all js - they are both allowing some js that they deem to be safe. But they work in different ways. So, some websites will work better with noscript than they do with Librejs.

My point is that if you are just going from website to website and whitelisting everything to get it to work with Librejs, that's not really what Librejs is for. You should consider removing it from the browser and replacing it with noscript. If you actually want to work with as much libre js as possible, then by all means keep using Librejs.

panties
Desconectado
Joined: 02/02/2021

So that is a question "Why do I block JS from the beginning?". I'm basically trying to block JS because I think I understand why I want to do it at least a little bit, but unless I can read source codes and understand what each JS does, or at least the page MB linked to (which I guess it is something like a taxonomy of common types of JavaScript), I can't tell someone exactly why to block JS. Unless you understand all the undesirable behavior, you can't tell someone exactly why you're blocking JS. In the end, unless you understand the source code, won't you end up "blocking JS for some reason"?
It seems that antiX installs the uBlock Origin in the Abrowser by default, why did you choose to use this?

koszkonutek
Desconectado
Joined: 03/19/2020

There was one good "uMatrix development ended" thread where LibreJS (with its fatal flaws) was discussed thoroughly. Unfortunately, it's gone. Instead, I am going to paste an email I sent as part of my conversation with RMS. To understand it you'll need to guess some things from context.

*** PASTED EMAIL ***

> > What's the point of still using and recommending LibreJS?
>
> To avoid running nonfree JS code sent by sites.
> The same as ever.

Well, true. But NoScript or uBlock can achieve the same.

> and it fails to block scripts from file:// and
> > possibly also from ftp://.
>
> I don't understand. What scenario are you talking about? What goes
> wrong?
If one saves a page to disk (in IceCat and other FF derivatives it can
be done by right-clicking and selecting "Save Page As...") to, say,
/tmp/my_downloaded_pages/page.html
and then enters in the browser's url bar a link like
file:///tmp/my_downloaded_pages/page.html
browser will open the page offline and - despite LibreJS being enabled -
will happily execute the javascript that was saved together with the
page. Same goes for "pages" accessed via ftp protocol instead of
http(s). Other extensions like NoScript are more thorough in this matter
and also success in blocking scripts from those sources. It's not the
fundamental flaw of LibreJS, but a surprising one, given this
extension's goals and that NoScript author was once contracted to work
on it...

> > The ideas
> > behind it are flawed
>
> Not totally.
>
> [...]
>
> Why not call for making extensions,
> that make
> > sites function with, say, NoScript?
>
> Because I want LibreJS for all the other unknown sites.

The idea is to allow scripts with free license and block the rest. But
current state of technology does not yet allow for "freeness" to be
verified automatically. LibreJS' strategy to judge scripts based on a
license notice fails when someone takes a MIT-licensed js library,
modifies it and serves a minified version of the modified lib on their
site. OK, we could theoretically and with great effort cope with that by
always (for minified scripts) checking, whether a non-minified version
is available and then verifying, that it corresponds to the minified
version we were served. That would of course require the minification
process to be reproducible, because verification of programs equivalence
is not solvable in general. At that point it would already be more
efficient to just execute the non-minified version we found.

So, we already decided, that we have to reject all minified scripts. But
how do we decide whether a script is minified or not? I don't think this
can be reliably done by a program yet.

What else? The fact, that bypassing LibreJS' countermeasures - if the
extension ever gets popular enough for it to be worth doing - would be
trivial for a malicious website. The site could just put a GPL license
string on an arbitrary piece of malicious js just to get it executed on
one's computer. It would be breaking the law - but we can't assume, that
all our enemies play by the rules.

Additionally, a website could be mining crypto in users' browsers using
fully free js. Even when that's not illegal, we still want to be able to
block the miner, don't we?

Also, executing all free scripts from unknown sites is still a bad idea.
Let's assume we have a GNU/Linux distro, that allows everyone who owns a
domain name to add packages to it. Without any human verification. Would
it be a secure distro? Would You like to use it? Would FSF recommend
such distro? That's more or less what LibreJS is doing right now, with
the exception that sandbox makes it a little more secure... But having
in mind Meltdown and Spectre we shouldn't rely on that anyway.

Last but not least, I don't remember ever stumbling upon a site, that
would not work with NoScript but would start working with LibreJS. I
did, however, see may sites that use fully free js (mostly public
instances of libre platforms like ethercalc or jitsi meet) that is not
recognized by LibreJS. In that case I would just whitelist those in
NoScript just as I would in LibreJS.

Some of those examples above were given by a user under nick "chaosmonk"
on Trisquel forum one day. That thread is unfortunately no longer there,
so I just paraphrased it from memory. One could argue that LibreJS is
just a temporary solution but I don't consider it good enough even for that.

> > Writing an extension for each site does help a bit (unlike LibreJS,
> > which doesn't help at all) and might be worth calling for, but it's
> > still only a temporary solution, that scales *very* badly.
>
> It's better than nothing, and I don't know of a better idea.
In my previous email I linked one of my topics on Trisquel forum where I
thoroughly described the situation and issues we have and I called for
developing a *single* extension that would allow replacement javascript
to be specified for sites without all the hussle of creating a new
extension for each. It would also be more convenient for users. Later,
we could make the extension able to automatically download replacements
from a repository. That would then be very similar to our usual way of
distributing software in distros. But yet another side-goal is to get
on-board all the hackers who don't care about software freedom as much
as to disable all nonfree js but who nevertheless don't like what web
has become and use ad-blocking and spyware-blocking extensions. If we
make the thing attractive to that kind of people, that will get us more
contributions. Unfortunately, I received no support on the forum.
Eventually, I will probably come up with such extension myself but the
issue is so important that there really should be more effort put into it.

panties
Desconectado
Joined: 02/02/2021

I think I may have understood the situation a little bit.
Why do you personally try to block JavaScript in the first place?
I'm disabling it because I don't know what IntelME is doing, and the problem with JavaScript seems to be essentially the same, but there seems to be a big difference between what IntelME can do and what JS can do, so I'm not willing to put that much effort into blocking JS.
But it seems that you are taking the JS issues very seriously.
Of course I have read this article, just a few times though.

https://www.gnu.org/philosophy/javascript-trap.html

Maybe I should ask the purpose of each and every JS for each and every website, not you. But, for example, I have emailed this question to my country's meteorological agency. Of course, it's a state agency and they are budgeted by tax. On the weather forecast page, LibreJS blocks 48 JS (and they use one Google tracker). I demanded an explanation because I think, as a citizen, I am entitled to get an explanation of the purpose of each and every one of these JS, but they ignored my email. If you don't turn on JS, you can't even see the weather forecast.
I also used to use a wave information site called BC. I have now cancelled the subscription, but I have demanded to them too that they explain what the purpose of each and every JS they use is. They refused to do so, bringing up company secrets or something. So I have no choice but to ask someone like you who seems to take the JS issue seriously. Can you share what your reasons are for blocking JS or what their reasons are for using or wanting to use JS?
If the answer is included in above your post, sorry, I do not really understand it.

koszkonutek
Desconectado
Joined: 03/19/2020

Software freedom is my main motive, really. Reading your post I have no reason to think you misunderstood any part of what I wrote.

Sure, there are other issues here like privacy and security (most browser vulnerabilities rely on js). We can and should use them as additional arguments for convincing ppl js is a problem. Still, for me - nonfreeness of some of the js is the main issue.

Perhaps what makes me treat it so seriously is that I see matters getting worse over time - with more and more sites requiring js and no one doing anything sensible about it.

As to websites that require js - yes, there are many. In some cases it is possible to bypass js by modifying the DOM using in-browser debugging tools. In other cases I just don't access a website. Just as you I sometimes write complaint emails which mostly go ignored or misunderstood.

Some of their reasons for using js:
1. Website owners/devs have no idea it can be bad. They have grown up not realizing the nonfreeness and that it's bad.
2. Too few of those few who care complain to site owners.
3. These problems are not being talked about in the public.
4. Website owners (who know nothing about www technologies) are often given crappy solutions by web devs they hire.
5. Making interactive elements like pop-ups with just HTML+CSS is not a popular enough approach. Perhaps CSS3 arrived too late to save us? Or maybe doing it with js is just more convenient for developers?
6. Fashion. Devs do clutter with js just because it's fashionable or because the can and they think it's cool. And they often not realize the capabilities of CSS3.
7. There are too few ppl disabling js nowadays for website owners and framework creators to care about them.
8. Security by obscurity is unfortunately still being practiced ;_;
9. Website creators prefer to avoid additional work related to testing with scripts disabled or freeing the js.
10. Some functionalities do require js. In many cases these functionalities can technically be achieved with free js, but website owners and web devs don't understand freedom issues or just don't care.
11. Integration with someone else's servers (Google for ads, Stripe for payments, etc.) is where it is impossible to use free js. Even website owners/creators who care a bit will often not care enough to drop a functionality important to their business.

I think making people realize the js nonfreeness problem is a big issue of its own, maybe even bigger than just making web usable with free software. That's why I think we should keep on writing complaints, even if they go misunderstood.

In case you are interested how I manage to avoid all the js, I've been making money transfers at post office for over 2 years now to avoid bank's nonfree js. Also, I've been refusing to use MS Teams or Webex for 2 semesters of remote studying and succeeded by politely asking professors to let me pass without these. And recently I got one reseller of Pine64 devices to allow me to make an order via email instead of using the web interface of their store.

It's still hard, though. That's why we need the facility I wrote about here: https://trisquel.info/en/forum/software-freedom-movement-challenge-javascript-trap

panties
Desconectado
Joined: 02/02/2021

I see. Thank you for the details.
However, I have a vague idea of the big picture, but what I want to know for now is why websites want to use JS.

You write that:

> 11. Integration with someone else's servers (Google for ads, Stripe for payments, etc.) is where it is impossible to use free js. Even website owners/creators who care a bit will often not care enough to drop a functionality important to their business.

and

> I think the problem is that webmasters, as well as the rest of society, don't realize and/or don't care about nonfree js. If you think about it - most organizations/individuals would not lose a penny if they put a free license on their javascript (+ provided unobfuscated version of it). But they won't do so, because they're afraid, they don't see the need to or they simply don't know they should.

These two things seem to be in conflict.
It is my feeling after reading your posts that in many cases JS is being used on sites due to ignorance of the website owner/creater.
But if they can make a profit by e.g. using Google's servers to serve ads, doesn't using free JS mean dollars loss for them?

I have had thought their reason for using JS would be economic. If they don't lose a penny by using free JS as you say, then I might be able to convince them without being misunderstood. But if there is a financial loss, it would be difficult to do so, so sending an email would be almost futile.
Or, I have had thought that if they are collecting personal information in a 'personally identifiable' form, there is a risk of lawsuits for site operators who profess to collect information in a 'non-personally identifiable' form. I feel that reading JS is barely not illegal from your posts, though.

Thanks to you, I will be able to tell someone why I block JS much more convincingly than before.
You seem to have your priorities set on the big picture, but personally, security is my main concern, and since the security of my devices is much more important to me than of the general public.
I mean, my current main interest is, being thoroughly aware of "any" financial or business unfavorable losses (e.g. relationship with third parties) they may incur by replacing JS with free ones (or CMM3?).

koszkonutek
Desconectado
Joined: 03/19/2020

> These two things seem to be in conflict.

They aren't. I'm just referring to 2 separate cases.

1. When problematic js is responsible for interaction with, say, Google - in such case only Google has source code for the ad-loading and spying scripts. Fortunately, this mostly concerns ads. Other parts of a website could still be functional without without Google's js. In such case it is still bad, because many users will unknowingly run this js when visiting the website - and at the same time it does not really harm those determined to block nonfree js.

2. When website itself is built in a way it heavily relies on javascript. In this case site's owner/dev often has the original, unobfuscated js and it is up to them to release it under a free license.

In my sentence, "most organizations/individuals would not lose a penny if they put a free license on their javascript", what might be wrong is at most the word "most". That is my personal estimate, based on what I see. One could undertake a research to verify to what % of websites this "most" amounts to.

> I feel that reading JS is barely not illegal from
> your posts, though

Reading it in the way it is served is not illegal. Unobfuscating it with a program like prettify-js could be, here, in Europe.
Analysing network traffic this js generates should be legally safe, though.
I am basing these claims on what I learned at one university course. There might, however, be some varying opinions, even among ppl who work with these things.

> [...] they may incur by replacing JS with free ones
> (or CMM3?).

Could you please explain what CMM3 stans for?

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

I have asked Protonmail why they don't support LibreJS, but they replied that it is not a problem since they have published all the JavaScripts they use on Github.

Give ProtonMail that link: https://www.gnu.org/software/librejs/free-your-javascript.html

panties
Desconectado
Joined: 02/02/2021

No, you do. I mean, I don't use email accounts I created on my devices for my privacy. I asked some friends if I could use the Internet for a while, like "Can I borrow your phone? I forgot my phone at home." or something. Then I borrowed their devices and created some accounts pretending to be doing some research. So I can't send out emails that might cause trouble like this.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

I do see why it may cause troubles. To the ProtonMail employee that told you "ProtonMail's JavaScript is free software" you can reply "Here is how to clearly indicate that fact (and LibreJS will not block ProtonMail):" + the link.

panties
Desconectado
Joined: 02/02/2021

Yeah... but No, you don't understand the nature of the problem. Whether their JavaScript is free software or not, as I mentioned, in the process of creating a free account, they ask for a "donation" by credit card (which I think is a real purchase) or a "identity verification" by SMS. IIRC, they used to have a reCAPTCHA authentication method a long time ago. I guess phone numbers or credit card numbers are sold better.
So I'd like to ask you the opposite, why do they ask for that donation or SMS verification? They say it's to prove that a human being, not a machine, is creating the account, but I feel that the purpose is to collect personal information. But credit card numbers and phone numbers are a lot heavier information than such as IP addresses, browser search history. Isn't there some other way to check? If you were Protonmail, what means of 'human verification' would you use?
The point is, even if there is, I have to tell Protonmail about it too, and there is almost zero chance that they will reflect and improve their practices. In this case, we are not just wasting time, but obviously there are other losses. You wouldn't want to use an account created on someone else's device for such a troublesome thing, would you?
I think there is something wrong with (the brain of) a company that is so radical about 'freedom and privacy issues' that they even have a .onion website, and yet they require a phone number or a credit card number. At least I would not create an email account of such a company.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

As far as I understand, bots creating accounts is a real significant issue for many online services. I do not administrate such services and am not knowledgeable on the effective ways to avoid/reduce that problem without non-free JavaScript.

That said, it looks like a separate issue. ProtonMail could still clearly indicate that their (not third-party) JavaScript is free software.

panties
Desconectado
Joined: 02/02/2021

I see.

> That said, it looks like a separate issue. ProtonMail could still clearly indicate that their (not third-party) JavaScript is free software.

Considering their motives for founding the company, there is no need to pay money to a company that doesn't even do such a thing. There's no need for me to take the time to email such a company.