[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-gnuzilla] A need of a paradigm shift for solving the JavaScript Tra

From: Julian Marchant
Subject: [Bug-gnuzilla] A need of a paradigm shift for solving the JavaScript Trap
Date: Sun, 26 Oct 2014 21:37:27 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0

Hash: SHA1

I highly appreciate what LibreJS is trying to do, and it's better than
nothing. But I seriously think that LibreJS is entirely the wrong
approach to the problem of non-free JavaScript.

Right now, LibreJS is failing because it requires a format that isn't
recognized anywhere, but theoretically, this could be solved in the
future, so let's suppose that it does. Let's suppose even further that
LibreJS succeeds so much that it causes a large portion of the Web to
release scripts under libre licenses and document the licenses in a
format LibreJS can understand.

So LibreJS is popular, and people are labeling their scripts and
linking to source code. But people are still behaving the same as
before, blindly trusting several JavaScript programs that are silently
being installed into their browsers every day. The only difference is
that LibreJS thinks the scripts are libre. These are still scripts
that are updated automatically, basically completely unaudited, and
never edited by anyone.

I get that LibreJS is supposed to be only a first step, but I think
it's the *wrong* first step. I think we need an entire paradigm shift
in how we deal with the problem of JavaScript code, one which involves
not automatic script analysis, but direct user intervention.

This is what I propose: the first time a website requests use of a
particular JavaScript file, the web browser should tell the user, show
the JavaScript code requested, and offer three choices:

1. Install the requested script

2. Install a different script for this purpose

3. Don't install any script

If the user chooses to install a script, it should be installed
*permanently*, i.e. saved to a local directory.

On repeat visits to the same website, the scripts requested should be
compared to your installed scripts. If you have the same script
installed, it should just run the script you have installed. If you
don't, it should ask you if you want to update your copy of the script
or continue to use the locally installed script, showing you either
the two scripts side-by-side, or perhaps a diff. Here, it can offer
you the option to reject the suggested script permanently.

This kind of system would take away the often undeserved trust that
JavaScript use gives to website maintainers. It would encourage
everyone to actually think about what JavaScript code they run, the
same way they think about any other program they might run.

Another great thing about this system: it would be useful for more
people than just us. People interested in security would find it
useful for every script to be accepted or rejected on a case-by-case
basis, too.

Please discuss.

- -- 
Julian Marchant
Email: address@hidden, address@hidden
GnuPG keys: 0x3D015302, 0xD0AF3FA4
XMPP: onpon4 @ riseup.net
Diaspora: onpon4 @ nerdpol.ch
Website: https://onpon4.github.io

Protect your privacy with GnuPG:
Version: GnuPG v1.4.11 (GNU/Linux)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]