-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I highly appreciate what LibreJS is trying to do, and it's better than nothing. But I seriously think that LibreJS is entirely the wrong approach to the problem of non-free JavaScript.
Right now, LibreJS is failing because it requires a format that isn't recognized anywhere, but theoretically, this could be solved in the future, so let's suppose that it does. Let's suppose even further that LibreJS succeeds so much that it causes a large portion of the Web to release scripts under libre licenses and document the licenses in a format LibreJS can understand. So LibreJS is popular, and people are labeling their scripts and linking to source code. But people are still behaving the same as before, blindly trusting several JavaScript programs that are silently being installed into their browsers every day. The only difference is that LibreJS thinks the scripts are libre. These are still scripts that are updated automatically, basically completely unaudited, and never edited by anyone. I get that LibreJS is supposed to be only a first step, but I think it's the *wrong* first step. I think we need an entire paradigm shift in how we deal with the problem of JavaScript code, one which involves not automatic script analysis, but direct user intervention. This is what I propose: the first time a website requests use of a particular JavaScript file, the web browser should tell the user, show the JavaScript code requested, and offer three choices: 1. Install the requested script 2. Install a different script for this purpose 3. Don't install any script If the user chooses to install a script, it should be installed *permanently*, i.e. saved to a local directory. On repeat visits to the same website, the scripts requested should be compared to your installed scripts. If you have the same script installed, it should just run the script you have installed. If you don't, it should ask you if you want to update your copy of the script or continue to use the locally installed script, showing you either the two scripts side-by-side, or perhaps a diff. Here, it can offer you the option to reject the suggested script permanently. This kind of system would take away the often undeserved trust that JavaScript use gives to website maintainers. It would encourage everyone to actually think about what JavaScript code they run, the same way they think about any other program they might run. Another great thing about this system: it would be useful for more people than just us. People interested in security would find it useful for every script to be accepted or rejected on a case-by-case basis, too. Please discuss. - -- Julian Marchant Email: [email protected], [email protected] GnuPG keys: 0x3D015302, 0xD0AF3FA4 XMPP: onpon4 @ riseup.net Diaspora: onpon4 @ nerdpol.ch Website: https://onpon4.github.io Protect your privacy with GnuPG: https://emailselfdefense.fsf.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJUTaHXAAoJELP1a+89AVMCoA0H/iaJAQ1fQof70DcRVW4RR3d5 6eCARYPBmMv+h00EgzN5VmLbhcZ0gjFuYmJrN9AjGzP7jZu7eAGwL3HKfbT9AgrW DGWqErrX6w2wwpbVUGi+0PilGxWX/A38zL477f/Q7jqWPiYE6UvXqcSP1Iy2MBjK JM841lSSIoPC7lgxmTqDRgyw927SMU3+aevFKtCi3C5UaNoar9SE4vf8OFAo3yl7 aaBb/CfYsrn4JSwct+mTDPaVH+/7ADLJ3eT/F1icvP3a1ITa12OHz0BQvKKLfoM+ XCdVYZsHucYkrkO0b0y4sTo+jnMDmvkRkuF/J2XaPCLnVTL+LnalbCTDKDhdpOo= =1h/s -----END PGP SIGNATURE----- -- http://gnuzilla.gnu.org
