Will JavaScript kill Java

Repair or kill the automatically installed JavaScript?

This article is a translation of the English article "Fix or Kill Automatically Installed JavaScript?", Published by Julie Marchant under a CC BY-SA 4.0 license.

Richard Stallman's essay "The JavaScript Trap"The Javascript trap») Shows that people run proprietary programs that are automatically and secretly installed on their computers every day. In fact, he was downplaying the problem a lot; Not only do most users run proprietary software every day just while surfing, but they run dozen or even hundreds of such programs every day. The JavaScript trap is quite real and fruitful; the network is said to be so broken without this unstandardized, usually proprietary extension of HTML that browsers now have no clear option to disable JavaScript; disabling JavaScript, it is claimed, will only create confusion.

It is clear that we should solve this problem. Still, if he focuses on whether the scripts are "trivial" or free, Mr. Stallman misses the mark: this behavior of automatic, stealthy software installation is itself the main problem. The fact that almost all software is proprietary is just a side effect.

In response to the article by Mr. Stallman, an extension for Firefox and Firefox-derived browsers, called LibreJS, was developed. This extension automatically analyzes all of the JavaScript from a webpage to determine whether it is trivial or libre; if one of these conditions is determined to be correct, the software has been executed. Otherwise it is blocked. I appreciate the LibreJS project and what it's trying to do. But I think LibreJS is the wrong approach to solving the problem.

Now LibreJS fails because it needs a format that is not recognized everywhere, but theoretically this could be solved in the future, let's assume it will. Let us assume that LibreJs is so necessary that a large part of the network publishes scripts under free licenses and documents the licenses in a format that LibreJS understands.

It seems fine on the outside, but what follows is that software is still secretly installed in our browser every day. The only difference is that LibreJS thinks the programs are free.

I don't want to downplay the importance of all software being free. In spite of this, if any software is automatically installed in our computer at the request of another party, it makes it almost impossible to exercise freedom. It is nice that you want all of those JavaScript programs that are hundreds of scripts running on your computer every day, usually before you even have a chance to review the source code.

Worse, the automated JavaScript installation system only installs the software temporarily to run once. In fact, every time the server updates a JavaScript program, that update is enforced against the users. Even if the script were free, it's as if it had a back door built in.

This is very similar to the case of tivoization, in which you may theoretically have the freedom to control what a program does, but you cannot do that because of the circumstances in practice. It is not enough to have theoretical control. Proper control is also necessary. In the JavaScript case, this lack of control is not a result of malicious intent, but rather a result of the negligent assumption that the user wants to run any script that a web page might recommend. That is not necessarily true. It would be like installing Windows on my machine, reading an article every day recommending the use of Windows, or every blog post talking about how great Chrome is, causing Chrome to install automatically.

What can we do? I see two possible solutions.

1. Solution: Repair JavaScrpit

The first possible solution, and the clearest one, is to change the behavior of the browser in relation to requests from JavaScript programs. I suggest that in order for the system to be acceptable, the following requirements must be met:

  • The browser has to permanently install the JavaScript code, and only if the user somehow allows it.
  • The browser must allow the user to install scripts and programs, not just the scripts requested by the website.
  • The browser does not need to automatically update JavaScript code unless the user so determines and the user needs to be able to choose where such updates come from.

You will note that automatic license detection is not included there. How does a user get free JavaScript code without checking every source code file? The solution is actually very simple: like other free software. I only trust Trisquel's developers to add free software with no harmful features to Trisquel's repository. Incidentally, Trisquel programmers can protect Trisquel users against malware, proprietary or not; LibreJS doesn't. We can also create and maintain a repository of free JavaScript source code.

To do this, the installed JavaScript programs would have to work in every website that requests this, not just on one page. Which already installed JavaScript code to use can be determined by getting a hash of reduced installed JavaScript code and then a hash of requested scripts, after which they are also reduced. If that does not provide a match, the file name of scripts can search for matches or quasi-matches, and the user can be asked whether these scripts should be used. Some kind of database in the user's browser that tells certain web pages where to use scripts could also be helpful.

I suppose this would take a lot of effort, which is probably not why the LibreJS developer tried. It doesn't help that that reliable Going through would mean constant work to keep the webpage changes up to date.

2nd solution: kill JavaScript

When I suggested something like the 1st solution on the bug-gnuzilla mailing list, an answer said there was a simpler solution: instead of repairing JavaScript, we could just completely disable JavaScript execution in our browser (in other words, JavaScript to kill). Of course, I actually mean automatically installed JavaScript. There's nothing wrong with using JavaScript today to develop new Firefox extensions, for example. User scripts and extensions can even be developed to replace important proprietary JavaScript code.

Nevertheless, this solution is not problem-free. In particular, it requires a huge social change, but smaller than what LibreJS is trying to do. Browsers that remove JavaScript support can help with this plan, but there is a chicken and egg problem in the sense that browsers without JavaScript support are only considered inferior by many web pages that require it.

A possible middle way to this end could be that a browser supports JavaScript, but has it switched off by default and gives users the simplest means of temporarily executing JavaScript on a page; This way, the user will have a JavaScript free experience, but still be able to use JavaScript on websites that need it, without so much inconvenience that it turns the browser beyond use. It would even have the nice side effect of making the browsing experience generally smoother for users; many websites have enormous JavaScript shit that can only be avoided entirely by turning off JavaScript.

Conclusion

All of these measures have advantages and disadvantages.

The first solution can immediately produce good results for things like Diaspora and Reddit: websites that require JavaScript code, but mostly free. It would probably bring little or no change to the web, but it didn't make it to work. Even so, it would take some work to set the browser to behave in relation to JavaScript, and it would be much more of a hassle to maintain a repository of free JavaScript programs.

The second solution is very similar to what LibreJS is trying to do, but on a much smaller scale. It depends on a change in the web: you have to convince the majority of web developers not to require JavaScript code any more. When it works, it can work spectacularly. On the other hand, it can fail spectacularly or just lead to yet another method of automatically and secretly installing software in users' browsers that is becoming popular.

I'm not sure which one is better, but LibreJS is still a solution, neither a patch, nor a step in the right direction. Until a free browser that properly repairs JavaScript is available, whoever wants freedom in their computer must disable all normal JavaScript execution in their browser, even if the code is free, and web developers who want that Respecting the freedom of their users must work to remove any JavaScript requirement from their web pages.

Posted Category In OpinionTagsBrowser, Advice, Criticism, Programmer, Google Chrome, Firefox, Icecat, Iceweasel, Internet, JavaScript, Browser, Websites, Free Software, Richard Stallman, Trisquel, Windowsin Fix or Kill the Automatically Installed JavaScript? Translations: English, Esperanto, español