[HN Gopher] GNU LibreJS: blocks JavaScript traps
___________________________________________________________________
GNU LibreJS: blocks JavaScript traps
Author : AbuAssar
Score : 69 points
Date : 2024-05-13 05:12 UTC (17 hours ago)
(HTM) web link (www.gnu.org)
(TXT) w3m dump (www.gnu.org)
| lionkor wrote:
| This blocks JavaScript that isn't explicitly licensed exactly the
| way they want, right? In terms of the format of the license, the
| @licstart and @licend comments (with no comment afterwards),
| etc.? That's what this does?
| janosdebugs wrote:
| It also doesn't block well-known libraries. Using this addon
| sounds like a really good way to have a bad time on the
| Internet. By the logic of this, why bot block websites which
| have non-free content or other supporting files?
|
| The whole premise of a website is that the owner gives you a
| licese of some kind to view it. Blocking only a technical part
| of it makes no logical sense. It's not like you are going to
| take the JS code under a free license that is likely dependent
| on the HTML structure under a non-free license and do stuff
| with it.
| gtsop wrote:
| Your argument about non-free content does not apply to the
| gnu purposes with this plugin. Free Software is concerned
| with the problem of "what does my computer compute, what does
| it do, can i modify it". The content (images, text, video,
| html structure) on any website is not software
| janosdebugs wrote:
| You can do a lot of dark magic with CSS or SVG too.
| Specifically, CSS has calc too. Website haven't just been
| documents for a long long time and basically nobody is
| going to bother keeping any computation in the JS space
| only.
| ranger_danger wrote:
| > The content (images, text, video, html structure) on any
| website is not software
|
| What about things like htmx that put logic directly into
| html attributes?
| wannacboatmovie wrote:
| Some of the stuff out of GNU, this included, borders on mental
| illness. An analogy would be walking around with rubber gloves
| on because you are afraid of everyday germs, not because of any
| imminent danger.
|
| I like how they refer to it as the "JavaScript problem", as if
| the problem isn't a self-imposed construct, rather the fault of
| the individual programmers.
| malicka wrote:
| It's not mental illness, it's the logical extension of
| principle. If you think non-free software is unjustifiable
| and should be avoided, you're probably going to try to avoid
| using it (or, at least, promoting it).
|
| There are three exceptions people sometimes make in their
| avoidance: Using non-free drivers, using non-free software
| for work/school, and using non-free software in the browser.
| It's rational that someone would want to limit these
| exceptions as best they can, and LibreJS is useful for that.
|
| I use LibreJS not to help me completely avoid non-free JS,
| but to make me more concious of my software use. If a site
| has non-free code and LibreJS pings me about it, I'll
| consider if there's a better site I should be supporting
| instead.
| KronisLV wrote:
| > If a site has non-free code and LibreJS pings me about
| it, I'll consider if there's a better site I should be
| supporting instead.
|
| I wonder how viable this is in the age of the network
| effect, where most people and content can be found on like
| 10 big sites.
|
| If I need an answer for something but it's on
| StackOverflow, YouTube, Reddit or even a Discord server,
| then that's just where I'll go, principles be damned. For
| many it's probably the same way with X vs Mastodon, the
| latter of which does feel more wholesome but can get
| lonely, or at the very least limits your reach. Same with
| social media or professional sites like LinkedIn. Same with
| using one of the more popular browsers, OSes, drivers or a
| lot of other proprietary software.
|
| Not to dismiss anyone who cares deeply about free software,
| but honestly I wonder what % of people are actually
| committed to those ideals and how many are just cruising
| through life with whatever is the most popular option with
| least troubles for everything.
| ranger_danger wrote:
| I don't think many developers would even consider "properly
| licensed" javascript to be subjectively "better" in any way
| simply because they don't care.
|
| Not saying that you don't or shouldn't care yourself, but
| IMO it is seen as a total non-issue for the vast majority
| of people. And I'm not sure LibreJS is doing much in the
| way of trying to convince people otherwise (besides
| breaking half the internet), but maybe I'm wrong.
| nvy wrote:
| It's not mental illness, just capture by a figurehead they
| won't remove who's so detached from how modern computing
| works that he doesn't even know how to update his own
| website.
| LukeShu wrote:
| In addition to the documented+recommended format, it also
| supports a few others. But yeah, it's pretty picky about how
| the license statement is formatted.
| enriquto wrote:
| > This blocks JavaScript that isn't explicitly licensed exactly
| the way they want, right?
|
| The way _you_ want. Nobody forces you to run this plugin. You
| can run this plugin, or not, or even change the plugin source
| code to better fit your needs (something that you cannot do
| with the javascript programs this add-on is designed to protect
| you from).
| tedunangst wrote:
| Does it also block nontrivial css? That can be Turing complete.
| jart wrote:
| Wow it's really cool that Stallman and others created a
| definition of Free Software for the modern web. Sadly it seems
| this is old news. There hasn't been any commits to this project's
| git in the last two years. There's also no date on the article,
| so I can't easily tell how old this is.
| https://www.gnu.org/software/librejs/ I wish there was more
| respect for the devotion and principles that go into making
| something like this. You'd think at least the hacker community
| would understand, of all people.
| gtsop wrote:
| > There hasn't been any commits to this project's git in the
| last two years
|
| I am honestly not sure were you got the 2 year commit gap, the
| latest commit is 3 months ago on master
|
| https://git.savannah.gnu.org/cgit/librejs.git
|
| > There's also no date on the article, so I can't easily tell
| how old this is
|
| The article is many many years old, archive.org has a snapshot
| of it from 2012
| eesmith wrote:
| Another way to verify activity within the last couple of
| years is to see that the last release at
| https://ftp.gnu.org/gnu/librejs/?C=M;O=D is from last fall.
|
| OTOH, there hasn't been a test release since 2016, so keeping
| that section does contribute to the idea that it's no longer
| active.
|
| It's clear the page is pretty old, with both "http" and "ftp"
| download links. FWIW, the http link redirects to https, and
| (warming the heart of this old Unix developer) the ftp link
| still works.
| yellowsir wrote:
| that explains why there is no buidtool.
| chrismorgan wrote:
| > _I am honestly not sure were you got the 2 year commit gap_
|
| Probably from https://pagure.io/librejs/commits/master which
| is also mentioned on the page and supposed to be a mirror.
| medo-bear wrote:
| This seems to work very well. So far no UI issues with browsing
| my top 20 websites. Observed benefits: prevents adds, some toxic
| material, and even bypasses some paywalled news sites I visit.
| ygra wrote:
| Wouldn't you get the same benefits by turning off JavaScript
| altogether? I'd expect there to be very little trivial JS (by
| that extension's definition) on the vast majority of sites that
| use JS.
| medo-bear wrote:
| for me this works better than blanket turning off js and
| there seems to be alot of trivial js on cnn, reuters, and bbc
| wesbites. you can investigate the js which the addon regards
| as trivial
| robocat wrote:
| Client-side JavaScript is always _distributed[1] source[2] code_
| - because your web page is distributing it to the user 's
| browser. So AFAIK you shouldn't use GPL nor LGPL code in your
| pages unless all your client-side JavaScript in the page is
| appropriately licenced. Minified or obfuscated is still source
| code (you must provide original source as per license).
|
| Client-side LGPL JavaScript is neither statically linked nor
| dynamically linked but potentially could be a "mere aggregation"
| i.e. it is hard to use LGPL legally. Perhaps you could meet the
| legal definition of calling a library by using web assembly or
| web workers (see your IP lawyer!).
|
| Unfortunately the FSF appear to be intentionally vague when
| documenting this issue.
|
| For more details see:
|
| https://greendrake.info/publications/js-gpl
|
| https://opensource.stackexchange.com/questions/4360/what-are...
| (be careful reading it because part of that answer is about what
| circumstances client-side GPL mean that the server-side should be
| GPLed).
|
| This issue can affect the HTML and CSS too: It is
| possible to write Javascript code which is strongly bound to a
| particular HTML document. The Javascript code in this case would
| have hard-coded references to parts of the HTML document and
| would rely on that document's particular structure to work. This
| would be a strong indication that the Javascript and the document
| should be considered a single work.
|
| Edit: [1] Well conveyed: https://www.gnu.org/licenses/gpl-
| faq.html#ConveyVsDistribute
|
| Edit: [2] or object code (transpiled/minified) but
| distributing/conveying object code usually requires you to provde
| source.
| gtsop wrote:
| All code ran by users is distributed source code. Not sure what
| is the distinction you are mentioning
|
| > Unfortunately the FSF appear to be intentionally vague when
| documenting this issue.
|
| This is only unfortunate when you don't allign with their
| purpose, in which case there is no reason to talk of using GPL
| at all. For people who allign with these purposes, this
| "vagueness" is fortunate
| d1sxeyes wrote:
| That's not true for code which gets pre-compiled.
|
| For interpreted (or JIT-compiled) code, then yes, by
| definition, the source needs to be distributed to end users
| in order to be executed.
|
| For compiled code, only the resultant binary needs to be
| shared after compiling the source.
| aprilnya wrote:
| > Minified or obfuscated is still source code
|
| What about if my source code is in TypeScript and gets
| transpiled + bundled + minified into JS? Is that still source
| code?
| robocat wrote:
| > transpiled + bundled + minified
|
| That is object code (I wrote source code incorrectly).
|
| But if the object code is part of a work then you may need to
| provide your "Corresponding Source" TypeScript code plus
| build files plus sometimes compiler tools. See my other
| comment https://news.ycombinator.com/item?id=40340774
|
| The GPL and FSF are difficult to comply with depending on
| your situation. Also depends on your jurisdiction and the
| jurisdiction of the client using the browser (amongst other
| complexities).
| chrismorgan wrote:
| > _Client-side JavaScript is always_ distributed source code _-
| because your web page is distributing it to the user 's
| browser. [...] Minified or obfuscated is still source code (you
| must provide original source as per license)._
|
| Minified or obfuscated is certainly _not_ source code under
| GPLv3's definition
| <https://www.gnu.org/licenses/gpl-3.0.html#section1>:
|
| > _The "source code" for a work means the preferred form of the
| work for making modifications to it. "Object code" means any
| non-source form of a work._
|
| The transformation very obviously makes it be considered object
| code.
| robocat wrote:
| Yes. Transformed/minified/obfuscated is object code.
|
| And when you convey object code then you need to provide the
| "corresponding source" as per section 6.
|
| But my comment is more about: how much of a web page is a
| "work based on the Program" or "modified version" when you
| distribute/convey GPL licensed JavaScript as part of your
| page?
|
| Abridged excerpts from:
| https://www.gnu.org/licenses/gpl-3.0.html#license-text
| "The Program" refers to any copyrightable work licensed under
| this License. A "covered work" means either the
| unmodified Program or a work based on the Program.
| Propagation includes copying, distribution (with or without
| modification), making available to the public To
| "convey" a work means any kind of propagation that enables
| other parties to make or receive copies The
| "Corresponding Source" for a work in object code form means
| all the source code needed to generate, install, and (for an
| executable work) run the object code and to modify the work,
| including scripts to control those activities. However, it
| does not include the work's System Libraries, or general-
| purpose tools or generally available free programs which are
| used unmodified in performing those activities but which are
| not part of the work. 6. Conveying Non-Source
| Forms. You may convey a covered work in object code form
| [snip] provided that you also convey the machine-readable
| Corresponding Source under the terms of this License ...
|
| This is not legal advice.
|
| The FSF appears to be deliberately unclear about how GPL and
| JavaScript interact. And LibreJS is fairly useless to help
| you legally decide if your web page is a derived/modified
| work or not.
| ecmascript wrote:
| This is like the meme with a guy riding a bike sticking it in the
| front wheel, getting hurt and in this case blaming javascript.
|
| I don't get the hate against javascript tbh. With this, web
| components won't work I assume unless the license is known before
| hand? Or is that considered trivial?
|
| What about wasm? Does it block that? Javascript is at least
| better than wasm since you can inspect javascript. So people that
| hate javascript should really hate wasm.
| nolist_policy wrote:
| They do not hate javascript/wasm software per se but _non-free_
| software.
| ecmascript wrote:
| So how do you determine if a wasm blob is non-free?
| Y_Y wrote:
| If it's free them it should say so, under what license, and
| provide you the original source before compilation or
| whatever.
| gbalduzzi wrote:
| So every webpage should send the whole source code at
| each page render? That's not very efficient.
|
| Also, how can the plugin know if the provided source code
| is correct without compiling it and comparing the
| outputs?
| Y_Y wrote:
| A moment's thought will hopefully provide you with the
| answer to both those questions
| maxlybbert wrote:
| You clearly aren't familiar with GNU or the Free Software
| Foundation. There's nothing wrong with that: everybody
| starts out without being familiar with anything.
|
| In a nutshell, Richard Stallman worked in MIT's AI lab in
| the 1970s. The lab had a certain ethos that he loved (
| https://www.gnu.org/gnu/rms-lisp.html ,
| https://www.gnu.org/philosophy/stallman-kth.en.html ),
| but when it became common for software to be sold without
| the source code, he actually decided to start a
| foundation to recreate that lab ethos (
| https://www.gnu.org/gnu/manifesto.en.html ). A lot of
| programmers agree with his view that refusing to give
| users source code, and legal permission to use that
| source code without restriction, is a terrible afront to
| freedom.
|
| However, people have spent decades telling Stallman that
| if they adopted his principles, they couldn't use their
| computers in the modern world. Every so often, he makes a
| declaration about various distinctions (it's okay to use
| a computer even though the firmware isn't free; it's okay
| to read documents on the web, but any JavaScript should
| be treated as a program and you should insist on an
| acceptable license; he, personally doesn't own a cell
| phone, but sees no problem with using somebody else's
| non-free phone in a case-by-case basis; etc.). This is
| simply an extension to enforce one of his rules. Some
| programmers will feel bad about themselves if they don't
| live up to Stallman's expectations.
| EnergyAmy wrote:
| Blocking web components would be great. That whole idea needs
| to be removed from browsers and rethought from the ground up.
| spankalee wrote:
| Nah, web components are great.
| ZoomerCretin wrote:
| If it's trivial but nonfree, it still runs. What is meant by non-
| trivial, and how do you programmatically determine that a script
| is non-trivial? Like this:
| https://git.savannah.gnu.org/cgit/librejs.git/tree/common/ch...
|
| * If an identifier on the banned list exists, it is non-trivial.
| The list is here:
| https://git.savannah.gnu.org/cgit/librejs.git/tree/common/fn...
|
| * If an identifier is ever followed by the square bracket
| indexing operator, it's non-trivial. (Looking at Stallman's
| requirement, it looks like this should only apply to accessing
| properties on an object, but the authors don't seem to have found
| a way to differentiate using [] on an object's identifier and []
| on an array's identifier)
|
| * If there are more than three loops, it's non-trivial.
|
| * If it uses fetch(), chrome, browser, XMLHttpRequest, or eval(),
| it's non-trivial.
|
| Oddly, referencing "document" is commented out, even though
| Stallman explicitly said any DOM modification makes a script non-
| trivial. I wonder what broke (outside of what they expected to
| break).
| ryan-c wrote:
| I expect this bullshit still works:
|
| https://rya.nc/files/librejs-poc.html <script
| id="harmlessNullScript" type="text/javascript"></script>
| <skript id="derp" style="display:none;"> /** *
| @license Proprietary * @copyright Copyright 2018 Ryan
| Castellucci, All Rights Reserved */ //
| WARNING: Code here needs to avoid the "less than" symbol.
| (function(){ // LibreJS modifies the text of script
| tags onced they've been // checked, which offers a
| very convienant way to detect it. if
| (harmlessNullScript.textContent.indexOf("LibreJS: ") > 0) {
| eval("alert('LibreJS detected, but non-free eval works');");
| } })(); </skript> <script
| type="text/javascript"> /** * @license
| Proprietary * @copyright Copyright 2018 Ryan
| Castellucci, All Rights Reserved */
| // An eval that works in the WebExtension port of LibreJS.
| // Untested on the original XPI version.
| Function(derp.textContent)(); </script>
|
| In any event, there are a _lot_ of ways to eval code...
| VelesDude wrote:
| This is one of those things that I agree with the ideas behind
| it. Free Libre software and all of that BUT in trying to deal
| with this via a web addon considering the scale of, the internet,
| It feels like there is no way this could ever achieve its goals.
| I mean how much JS out there doesn't even have a license
| explicitly defined on run time?
|
| And when you run it that is exactly what happens. It assumes the
| worst and the vast majority of things do not work. All it really
| does is slow your browser down to an absolute crawl as it tries
| to do its thing. I just ended up with Noscript and making a few
| exceptions where needed. It is a much better middle ground than
| this.
___________________________________________________________________
(page generated 2024-05-13 23:01 UTC)