I want to bring this topic that I brought up on the bug-gnuzilla mailing list[0] here, to give it more exposure.

I appreciate the LibreJS project and what it's trying to do. But I think that LibreJS is fundamentally a wrong approach to solving what RMS calls the JavaScript Trap.

Right now, LibreJS is failing because it requires a format that isn't recognized anywhere, but theoretically, this could be solved in the future, so let's suppose that it does. Let's suppose even further that LibreJS succeeds so much that it causes a large portion of the Web to release scripts under libre licenses and document the licenses in a format LibreJS can understand.

So LibreJS is popular, and people are labeling their scripts and linking to source code. But people are still behaving the same as before, blindly trusting several JavaScript programs that are silently being installed into their browsers every day. The only difference is that LibreJS thinks the scripts are libre. These are still scripts that are updated automatically, basically completely unaudited, and never edited by anyone.

I get that LibreJS is supposed to be only a first step, but I think it's the *wrong* first step. I think we need an entire paradigm shift in how we deal with the problem of JavaScript code, one which involves not automatic script analysis, but direct user intervention.

At first, I suggested on bug-gnuzilla that Web browsers should be designed to install JavaScript software, permanently, only after prompting the user for permission. But an email from Ivan Zaigralin[1] suggests we should reject JavaScript entirely:

Ivan Zaigralin wrote:
> The said direct user intervention should consist in a flat
> refusal to run javascript. Free software comes from credible sources, and
> javascript is simply mis-designed. It is a platform and an ecosystem that makes > the whole issue of user freedom moot. If users want interactive web, they need > to install a free user agent that is smart enough to produce that experience
> from the markup, a la HTML5. Side-loading and running dozens of
> scripts, even in a virtual machine, is just stupid, no matter how you slice it. > To put it very tersely, javascript must die. It is absolutely the wrong solution > to every problem it purports to solve, from the users' point of view. If a web
> user interface cannot be implemented in markup, a user should insist on it
> being done server-side, it's that simple.

I honestly find the argument compelling. I think he's right. We shouldn't be trying to fix the way JavaScript requests from Web pages are handled, because the system as designed is fundamentally incompatible with freedom. We should reject this JavaScript code entirely; our goal should be to kill off all requests from servers for the client to run JavaScript code. JavaScript can remain solely in the form of user scripts.

Please discuss.

[0] https://lists.gnu.org/archive/html/bug-gnuzilla/2014-10/msg00019.html
[1] https://lists.gnu.org/archive/html/bug-gnuzilla/2014-11/msg00004.html

Reply via email to