[Translate] Fix or kill automatically installed javascript?

Hi, Habr! I present to your attention the translation of the article Julie Marchant Fix or Kill Automatically Installed JavaScript?

In the essay by Richard Stallman "The JavaScript Trap" notes that people run proprietary programs that are automatically and silently installed in their browsers every day. In fact, he greatly diminished the problem. Not only do most users run non-free programs on a daily basis just by browsing the web, they launch dozens or even hundreds of such programs every day. The JavaScript trap is extremely real and prolific. It is believed that the work with the sites will be broken without these non-standard, usually proprietary, HTML extensions, that web browsers do not even offer an obvious possibility to disable JavaScript. It is argued that disabling javascript will only lead to confusion.

Obviously, we need to solve this problem. However, by focusing on whether the scripts are “trivial” or free, Mr. Stallman misses an important point: automatic, unobtrusive software installation is a major problem in itself. The fact that for the most part software proves to be non-free is only a side effect.

In response to an article by Mr. Stallman, an extension for the Firefox browser and its derivatives called LibreJS was developed. This extension automatically analyzes all the JavaScript on the page to determine whether it is trivial or free and if one of these conditions is true, the scripts are executed, otherwise they are blocked. I appreciate the LibreJS project and what it is trying to do. But I think that LibreJS is a fundamentally wrong approach to solving a problem.

Right now LibreJS fails because it requires a format that is not recognized anywhere, but theoretically it can be solved in the future, so let's assume that everything is in order. Suppose that LibreJS is so successful that it forces most of the Internet to issue scripts under free licenses and describe licenses in a format that LibreJS understands.

It seems at first glance to be great, but it follows from this that the software is still silently installed in our browsers every day. The only difference is that LibreJS considers programs free.

I do not want to diminish the importance of all programs being free. However, when any software is automatically installed on our computers at the request of a third party, this makes the exercise of freedom impossible. It is assumed that you want all these JavaScript programs, which can easily compile hundreds of new scripts every day, to run on your computer, usually before you can even check their source code.

Worse, the auto-install javascript software installs only temporarily to be executed only once. In fact, whenever a server updates JavaScript that is sent to web browsers, this update is enforced by users. Even if the script is free, it seems to have a built-in backdoor.

This is very similar to the case of tivoization, when theoretically you have the freedom to control what the program does, but you cannot do it in practice due to circumstances. It is not enough to have a theoretical control. Actual control is also required. In the case of JavaScript, this lack of control is not the result of malicious intent, but rather the result of the careless suggestion of web browsers that the user wishes to execute every script that a web page can offer. This is not necessarily the case. It would be like if Windows was installed on my computer every time I read an article recommending using Windows or if the blog talked about how great Chrome would be if you’ve automatically installed Chrome on my system.

So what can we do? I know two possible solutions.

Solution 1: Fix JavaScript

The first possible and most obvious solution is to change the behavior of web browsers in relation to requests for JavaScript software. I suggest that in order for the system to be acceptable, all the following conditions MUST be fulfilled:

• The browser must install JavaScript code all the time and only when the user explicitly allows it in some way.
• The browser should provide the user with the ability to install any arbitrary script, and not just the script requested by the web page.
• The browser should not automatically update the JavaScript code, unless the user indicates that it should be updated, and the user should be able to choose where such updates come from.

You will notice that automatic license discovery is not included in any of these items. So how does a user get only free javascript without manually checking each source file? The solution is actually quite simple: just like any other free software. I trust Trisquel developers to include in the repository only free programs without malicious functions. By the way, Trisquel developers can protect users from malicious programs , non-free or not; LibreJS - can not. Similarly, we can create and maintain a repository of free JavaScript code.

For this to work, installed JavaScript programs must also work on all web pages that request it, and not just on one page. As for the already installed JavaScript code, the ability to use it can be determined by obtaining a hash of minified versions of the installed scripts, and then get the hash of the requested scripts after minifying them in the same way. If the hashes do not match, you can check the names of the script files for complete or partial coincidence, and the user may be asked if these scripts should be used. It will also be useful to have some sort of database in the user's browser, defining the sites on which certain scripts can be used.

I believe that this approach will require considerable effort and, probably, this is why the LibreJS developer did not try to do this. It does not help that the achievement of reliability implies continuous work following the changing pages.

Solution 2: Kill JavaScript

When I suggested something like Solution 1 on the bug-gnuzilla mailing list, one of the answers noted that there is a much simpler solution: instead of trying to fix the JavaScript, we could completely disable the execution of JavaScript in our browsers (in other words , kill javascript). Of course, I mean automatically installed JavaScript. For example, there is nothing wrong with using JavaScript to develop Firefox extensions. Custom scripts and extensions can even be developed to replace important proprietary JavaScript code.

Nevertheless, this solution is not without problems. In particular, this requires tremendous social changes, albeit smaller ones than LibreJS is trying to make. Browsers that remove JavaScript support can help in this regard, but there is a problem with chicken and egg in the sense that browsers without JavaScript support will be considered inferior, while many websites require scripts to work.

One of the intermediate steps to achieve this goal may be a browser that supports JavaScript, but by default JS must be disabled and give the user an easy way to temporarily enable JavaScript to run on one page. Thus, the user will gain experience without using JavaScript, but still he will have the opportunity to use JavaScript for the pages on which he is needed, without any inconvenience that make the browser inconvenient. There would be even a pleasant side effect for users - their work on the Internet would become smoother. Many websites have huge bloated scripts that can be completely avoided by disabling JavaScript.

Conclusion

Each of these approaches has strengths and weaknesses.

The first solution can give good results immediately for sites like Diaspora and Reddit, which require JavaScript code, but mostly free. It probably will not lead to significant changes on the Internet, but it is not necessary for work. However, this would require some work to properly configure browser behavior with respect to JavaScript and much more work would be needed to maintain a repository of free JavaScript programs.

The second solution is quite similar to what LibreJS is currently trying to do, albeit on a much smaller scale. It depends on the change of the Internet: convincing most web developers to stop using JavaScript code. If this solution works, the effect can be impressive. On the other hand, this solution can easily fail or simply lead to the emergence of yet another popular method of automatic software installation in users' browsers.

I'm not sure which is better, but LibreJS is neither a good nor a good temporary solution, nor even a step in the right direction. As long as a free browser that correctly fixes JavaScript becomes available, anyone who wants freedom in computing should disable all of the usual JavaScript actions in their browsers, even if the code is free, and web developers who respect the freedom of their users should eliminate all the required JavaScript on their sites.