Hello, Habr! I present to your attention the translation of the article Julie Marchant Fix or Kill Automatically Installed jаvascript?
In Richard Stallman's essay "jаvascript Trap" it is noted that people run non-free programs that are automatically installed in their browsers every day. In fact, he greatly understated the problem. Not only do most users run non-free programs every day just by browsing web pages, they run dozens or even hundreds of such programs every day. The jаvascript trap is extremely real and prolific. It is believed that working with sites will be disrupted without these non-standard, usually proprietary, HTML extensions that web browsers do not even offer the obvious ability to disable jаvascript. It is argued that disabling jаvascript will only lead to confusion.
Obviously, we need to solve this problem. However, by focusing on whether scripts are "trivial" or free, Mr. Stallman overlooks an important point: the automatic inconspicuous installation of software in itself is the main problem. The fact that for the most part the software is not free is only a side effect.
In response to Mr. Stallman's article, an extension was developed for the Firefox browser and its derivatives called LibreJS. This extension automatically analyzes all jаvascript on the page to determine whether it is trivial or free and if one of these conditions is true, the scripts are executed, otherwise they are blocked. I appreciate the LibreJS project and what it is trying to do. But I think that LibreJS is a fundamentally wrong approach to solving the problem.
Right now LibreJS fails because it requires a format that is not recognized anywhere, but theoretically it can be solved in the future, so let's assume that everything is in order. Suppose that LibreJS is so successful that it causes most of the Internet to issue scripts under free licenses and describe licenses in a format that LibreJS understands.
It seems, at first glance, it's great, but it follows that the software is still quietly installed in our browsers every day. The only difference is that LibreJS considers the programs to be free.
I do not want to downplay the importance of all programs being free. However, when any software is automatically installed on our computers at the request of a third party, this makes it impossible to exercise freedom. It is assumed that you want all these jаvascript programs that can easily make up hundreds of new scripts every day, run on your computer, usually before you can even check their source code.
Worse, the automatic jаvascript installation system installs the software only temporarily to run only once. In fact, whenever a server updates jаvascript, which is sent to web browsers, this update is propagated to users. Even if the script is free, it seems to have a built-in backdoor.
This is very similar to the case of tivoization, when in theory you have the freedom to control what the program does, but you can not do it in practice because of the circumstances. It is not enough to have a theoretical control. Also, actual control is necessary. In the case of jаvascript, this lack of control is not the result of malicious intent, but rather the result of the careless assumption of web browsers that the user wants to execute every script that a web page can offer. This is not necessarily so. It would be like if Windows were installed on my computer every time I read an article recommending using Windows, or if the blog was talking about how Chrome is great, it would automatically install Chrome on my system.
So what can we do? I know of two possible solutions.
Solution 1: Fix jаvascript
The first possible and most obvious solution is to change the behavior of web browsers regarding jаvascript software requests. I suggest, in order for the system to be acceptable, MUST satisfy all of the following conditions:
The browser must set the jаvascript code constantly and only if the user explicitly resolves it in some way.
The browser should allow the user to install any arbitrary script, not just the script requested by the web page.
The browser does not automatically update the jаvascript code unless the user has indicated that it should be updated and the user should be able to choose where such updates come from.
You will notice that automatic license discovery is not included in any of these items. So how does the user get only free jаvascript without manually checking each source file? The solution is actually quite simple: just like any other free software. I trust the developers of Trisquel to include in the repository only free programs without malicious functions. By the way, Trisquel developers can protect users from
, not free or not; LibreJS - can not. Similarly, we can create and maintain a repository of free jаvascript code.
For this to work, installed jаvascript programs also need to work on all web pages that request it, not just on one page. As for the already installed jаvascript code, you can determine the possibility of using it by obtaining a hash of the minified versions of the installed scripts, and then get the hash of the requested scripts after they have been minified in the same way. If the hashes do not match, you can check the filenames of the scripts for full or partial matches and the user can be asked if these scripts should be used. It will also be useful to have some sort of database in the user's browser, which determines the sites on which certain scripts can be used.
I believe that this approach will require considerable effort and, probably, that's why the developer of LibreJS did not try to do this. It does not help that the achievement of
It assumes continuous work that keeps pace with changing pages.
Solution 2: Kill jаvascript
When I suggested something like Solution 1 on the bug-gnuzilla mailing list, one of the answers stated that there is a much simpler solution: instead of trying to fix jаvascript, we could completely disable the execution of jаvascript in our browsers (in other words , kill jаvascript). Of course, I mean
jаvascript. For example, there is nothing wrong with using jаvascript to develop Firefox extensions. Custom scripts and extensions can even be designed to replace important proprietary jаvascript code.
Nevertheless, this decision is not without problems. In particular, this requires huge social changes, albeit smaller than LibreJS is trying to do. Browsers that remove jаvascript support can help in this regard, but there is a problem with the chicken and the egg in the sense that browsers without jаvascript support will be considered inferior, while many websites require the working of scripts.
One of the intermediate steps to achieve this goal can be a browser that supports jаvascript, but by default JS should be disabled, and giving the user an easy way to temporarily enable the execution of jаvascript on one page. Thus, the user will gain experience without using jаvascript, but still he will have the opportunity to use jаvascript for the pages on which he is needed, without any inconvenience that makes the browser uncomfortable. There would even be a pleasant side effect for users - their work on the Internet would become smoother. Many websites have huge, overblown scripts that can be completely avoided by simply disabling jаvascript.
Each of these approaches has strengths and weaknesses.
The first solution can give good results immediately for sites like Diaspora and Reddit, which require jаvascript code, but mostly free. Probably, this will not lead to significant changes on the Internet, but it is not necessary for work. However, this will require some work to properly configure the browser's behavior with respect to jаvascript and there would be much more work to maintain the storage of free jаvascript programs.
The second solution is quite similar to what LibreJS is currently trying to do, albeit on a much smaller scale. It depends on changing the Internet: to persuade most web developers to stop using jаvascript code. If this solution works, the effect can be spectacular. On the other hand, this solution can easily fail or simply lead to the emergence of yet another popular method of automatic software installation in user browsers.
I'm not sure which is better, but LibreJS is neither good nor a good temporary solution, nor even a step in the right direction. While a free browser that correctly corrects jаvascript becomes available, anyone who wants freedom in computing must disable all the usual jаvascript actions in their browsers, even if the code is free, and web developers who respect the freedom of their users must eliminate the required jаvascript on their websites.
It may be interesting
Your post is very helpful to get some effective tips to reduce weight properly. You have shared various nice photos of the same. I would like to thank you for sharing these tips. Surely I will try this at home. Keep updating more simple tips like this. buffet catering service Dudley
Ants removal service