[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnuzilla] A need of a paradigm shift for solving the JavaScript

From: Narcis Garcia
Subject: Re: [Bug-gnuzilla] A need of a paradigm shift for solving the JavaScript Trap
Date: Mon, 27 Oct 2014 09:27:59 +0100

I think it's a great idea: managing scripts as software packages that
user authorises to install and/or update.
This could open the door to, in the future, exist JS FLOSS repositories.

El 27/10/14 a les 02:37, Julian Marchant ha escrit:
> I highly appreciate what LibreJS is trying to do, and it's better than
> nothing. But I seriously think that LibreJS is entirely the wrong
> approach to the problem of non-free JavaScript.
> Right now, LibreJS is failing because it requires a format that isn't
> recognized anywhere, but theoretically, this could be solved in the
> future, so let's suppose that it does. Let's suppose even further that
> LibreJS succeeds so much that it causes a large portion of the Web to
> release scripts under libre licenses and document the licenses in a
> format LibreJS can understand.
> So LibreJS is popular, and people are labeling their scripts and
> linking to source code. But people are still behaving the same as
> before, blindly trusting several JavaScript programs that are silently
> being installed into their browsers every day. The only difference is
> that LibreJS thinks the scripts are libre. These are still scripts
> that are updated automatically, basically completely unaudited, and
> never edited by anyone.
> I get that LibreJS is supposed to be only a first step, but I think
> it's the *wrong* first step. I think we need an entire paradigm shift
> in how we deal with the problem of JavaScript code, one which involves
> not automatic script analysis, but direct user intervention.
> This is what I propose: the first time a website requests use of a
> particular JavaScript file, the web browser should tell the user, show
> the JavaScript code requested, and offer three choices:
> 1. Install the requested script
> 2. Install a different script for this purpose
> 3. Don't install any script
> If the user chooses to install a script, it should be installed
> *permanently*, i.e. saved to a local directory.
> On repeat visits to the same website, the scripts requested should be
> compared to your installed scripts. If you have the same script
> installed, it should just run the script you have installed. If you
> don't, it should ask you if you want to update your copy of the script
> or continue to use the locally installed script, showing you either
> the two scripts side-by-side, or perhaps a diff. Here, it can offer
> you the option to reject the suggested script permanently.
> This kind of system would take away the often undeserved trust that
> JavaScript use gives to website maintainers. It would encourage
> everyone to actually think about what JavaScript code they run, the
> same way they think about any other program they might run.
> Another great thing about this system: it would be useful for more
> people than just us. People interested in security would find it
> useful for every script to be accepted or rejected on a case-by-case
> basis, too.
> Please discuss.
> --
> Julian Marchant
> Email: address@hidden, address@hidden
> GnuPG keys: 0x3D015302, 0xD0AF3FA4
> XMPP: onpon4 @ riseup.net
> Diaspora: onpon4 @ nerdpol.ch
> Website: https://onpon4.github.io
> Protect your privacy with GnuPG:
> https://emailselfdefense.fsf.org
> --
> http://gnuzilla.gnu.org

reply via email to

[Prev in Thread] Current Thread [Next in Thread]