I want to bring this topic that I brought up on the bug-gnuzilla mailing
list[0] here, to give it more exposure.
I appreciate the LibreJS project and what it's trying to do. But I think that
LibreJS is fundamentally a wrong approach to solving what RMS calls the
JavaScript Trap.
Right now, LibreJS is failing because it requires a format that isn't
recognized anywhere, but theoretically, this could be solved in the future,
so let's suppose that it does. Let's suppose even further that LibreJS
succeeds so much that it causes a large portion of the Web to release scripts
under libre licenses and document the licenses in a format LibreJS can
understand.
So LibreJS is popular, and people are labeling their scripts and linking to
source code. But people are still behaving the same as before, blindly
trusting several JavaScript programs that are silently being installed into
their browsers every day. The only difference is that LibreJS thinks the
scripts are libre. These are still scripts that are updated automatically,
basically completely unaudited, and never edited by anyone.
I get that LibreJS is supposed to be only a first step, but I think it's the
*wrong* first step. I think we need an entire paradigm shift in how we deal
with the problem of JavaScript code, one which involves not automatic script
analysis, but direct user intervention.
At first, I suggested on bug-gnuzilla that Web browsers should be designed to
install JavaScript software, permanently, only after prompting the user for
permission. But an email from Ivan Zaigralin[1] suggests we should reject
JavaScript entirely:
Ivan Zaigralin wrote:
> The said direct user intervention should consist in a flat
> refusal to run javascript. Free software comes from credible sources, and
> javascript is simply mis-designed. It is a platform and an ecosystem that
makes
> the whole issue of user freedom moot. If users want interactive web, they
need
> to install a free user agent that is smart enough to produce that
experience
> from the markup, a la HTML5. Side-loading and running dozens of
> scripts, even in a virtual machine, is just stupid, no matter how you slice
it.
> To put it very tersely, javascript must die. It is absolutely the wrong
solution
> to every problem it purports to solve, from the users' point of view. If a
web
> user interface cannot be implemented in markup, a user should insist on it
> being done server-side, it's that simple.
I honestly find the argument compelling. I think he's right. We shouldn't be
trying to fix the way JavaScript requests from Web pages are handled, because
the system as designed is fundamentally incompatible with freedom. We should
reject this JavaScript code entirely; our goal should be to kill off all
requests from servers for the client to run JavaScript code. JavaScript can
remain solely in the form of user scripts.
Please discuss.
[0] https://lists.gnu.org/archive/html/bug-gnuzilla/2014-10/msg00019.html
[1] https://lists.gnu.org/archive/html/bug-gnuzilla/2014-11/msg00004.html