1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
|
<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.96 -->
<!-- This page is derived from /server/standards/boilerplate.html -->
<!--#set var="TAGS" value="essays licensing traps" -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<title>The JavaScript Trap - GNU Project - Free Software Foundation</title>
<!--#include virtual="/philosophy/po/javascript-trap.translist" -->
<!--#include virtual="/server/banner.html" -->
<!--#include virtual="/philosophy/ph-breadcrumb.html" -->
<!--GNUN: OUT-OF-DATE NOTICE-->
<!--#include virtual="/server/top-addendum.html" -->
<div class="article reduced-width">
<h2>The JavaScript Trap</h2>
<address class="byline">by <a href="https://www.stallman.org/">Richard
Stallman</a></address>
<p><strong>You may be running nonfree programs on your computer every
day without realizing it—through your web browser.</strong></p>
<!-- any links that used to point to the appendices should point to
free-your-javascript.html instead. -->
<div class="announcement">
<hr class="no-display" />
<p>Webmasters: there are
<a href="/software/librejs/free-your-javascript.html">several ways</a>
to indicate the license of JavaScript programs in a web site.</p>
<hr class="no-display" />
</div>
<p>In the free software community, the idea that
<a href="/philosophy/free-software-even-more-important.html">
any nonfree program mistreats its users</a> is familiar. Some of us
defend our freedom by rejecting all proprietary software on our
computers. Many others recognize nonfreeness as a strike against the
program.</p>
<p>Many users are aware that this issue applies to the plug-ins that
browsers offer to install, since they can be free or nonfree. But
browsers run other nonfree programs which they don't ask you about, or
even tell you about—programs that web pages contain or link to.
These programs are most often written in JavaScript, though other
languages are also used.</p>
<p>JavaScript (officially called ECMAScript, but few use that name)
was once used for minor frills in web pages, such as cute but
inessential navigation and display features. It was acceptable to
consider these as mere extensions of HTML markup, rather than as true
software, and disregard the issue.</p>
<p>Some sites still use JavaScript that way, but many use it for major
programs that do large jobs. For instance, Google Docs tries to
install into your browser a JavaScript program which measures half a
megabyte, in a compacted form that we could call Obfuscript. This
compacted form is made from the source code, by deleting the extra
spaces that make the code readable and the explanatory remarks that
make it comprehensible, and replacing each meaningful name in the code
with an arbitrary short name so we can't tell what it is supposed to
mean.</p>
<p>Part of the <a href="/philosophy/free-sw.html">meaning of free
software</a> is that users have access to the program's source code
(its plan). The source code of a program means the preferred form for
programmers to modify—including helpful spacing, explanatory
remarks, and meaningful names. Compacted code is a bogus, useless
substitute for source code; the real source code of these programs is
not available to the users, so users cannot understand it; therefore
the programs are nonfree.</p>
<p>In addition to being nonfree, many of these programs
are <em>malware</em> because
they <a href="https://github.com/w3c/fingerprinting-guidance/issues/8">snoop
on the user</a>. Even nastier, some sites use services which record
<a href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">all
the user's actions while looking at the page</a>. The services
supposedly “redact” the recordings to exclude some
sensitive data that the web site shouldn't get. But even if that
works reliably, the whole purpose of these services is to give the web
site other personal data that it shouldn't get.</p>
<p>Browsers don't normally tell you when they load JavaScript
programs. Some browsers have a way to turn off JavaScript entirely,
but even if you're aware of this issue, it would take you considerable
trouble to identify the nontrivial nonfree programs and block them.
However, even in the free software community most users are not aware
of this issue; the browsers' silence tends to conceal it.</p>
<p>To be clear, the language JavaScript is not inherently better or worse
for users' freedom than any other language.
It is possible to release a JavaScript program as free software, by
distributing the source code under a free software license. If the
program is self-contained—if its functioning and purpose are
independent of the page it came in—that is fine; you can copy it
to a file on your machine, modify it, and visit that file with a
browser to run it. It's even possible to package it for installation
just like other free programs and invocation with a shell command.
These programs present no special moral issue different from those
of C programs.</p>
<p>The issue of the JavaScript trap applies when the JavaScript
program comes along with a web page that users visit.
Those JavaScript programs are written to work with a
particular page or site, and the page or site depends on them to
function.</p>
<p>Suppose you copy and modify the page's JavaScript code.
Then another problem arises: even if the program's source
is available, browsers do not offer a way to run your modified version
instead of the original when visiting that page or site. The effect
is comparable to tivoization, although in principle not quite so hard
to overcome.</p>
<p>JavaScript is not the only language web sites use for programs sent
to the user. Flash supported programming through an extended variant
of JavaScript, but that is a thing of the past. Microsoft Silverlight
seems likely to create a problem similar to Flash, except worse, since
Microsoft uses it as a platform for nonfree codecs. A free
replacement for Silverlight does not do the job adequately for the
free world unless it normally comes with free replacement codecs.</p>
<p>Java applets also run in the browser, and raise similar issues. In
general, any sort of applet system poses this sort of problem. Having
a free execution environment for an applet only brings us far enough
to encounter the problem.</p>
<p>It is theoretically possible to program in HTML and CSS, but in
practice this capability is limited and inconvenient; merely to make
it do something is an impressive hack. Such programs ought to be
free, but CSS is not a serious problem for users' freedom as of
2019.</p>
<p>A strong movement has developed that calls for web sites to
communicate only through formats and protocols that are free (some say
“open”); that is to say, whose documentation is published and which
anyone is free to implement. However, the presence of JavaScript programs
in web pages makes that criterion insufficient. The JavaScript language
itself, as a format, is free, and use of JavaScript in a web site is
not necessarily bad. However, as we've seen above, it can be bad—if
the JavaScript program is nonfree. When the site transmits a program
to the user, it is
not enough for the program to be written in a documented and
unencumbered language; that program must be free, too. “Transmits only free
programs to the user” must become part of the criterion
for an ethical web site.</p>
<p>Silently loading and running nonfree programs is one among several
issues raised by “web applications.” The term “web
application” was designed to disregard the fundamental
distinction between software delivered to users and software running
on a server. It can refer to a specialized client program running
in a browser; it can refer to specialized server software; it can
refer to a specialized client program that works hand in hand with
specialized server software. The client and server sides raise
different ethical issues, even if they are so closely integrated that
they arguably form parts of a single program. This article addresses
only the issue of the client-side software. We are addressing the
server issue separately.</p>
<p>In practical terms, how can we deal with the problem of nontrivial nonfree
JavaScript programs in web sites? The first step is to avoid running
it.</p>
<p>What do we mean by “nontrivial”? It is a matter of
degree, so this is a matter of designing a simple criterion that gives
good results, rather than finding the one correct answer.</p>
<p>
Our current criterion is to consider a JavaScript program nontrivial
if any of these conditions is met:</p>
<ul>
<li>it is referred to as an external script (from another page).</li>
<li>it declares an array more than 50 elements long.</li>
<li>it defines a named entity (function or method) that calls anything other
than a primitive.</li>
<li>it defines a named entity with more than three conditional
constructs and loop construction.</li>
<li>code outside of named definitions calls anything but primitives and
functions defined further up in the page.</li>
<li>code outside of named definitions contains more than three
conditional constructs and loop construction, total.</li>
<li>it calls <b>eval</b>.</li>
<li>it does Ajax calls.</li>
<li>it uses bracket notation for dynamic object property access,
which looks like <b><em>object</em>[<em>property</em>]</b>.</li>
<li>it alters the DOM.</li>
<li>it uses dynamic JavaScript constructs that are difficult to
analyze without interpreting the program, or is loaded along with
scripts that use such constructs. Specifically, using any other
construct than a string literal with certain methods
(<b>Obj.write</b>, <b>Obj.createElement</b>, and others).</li>
</ul>
<p>How do we tell whether the JavaScript code is free? In a <a
href="/licenses/javascript-labels.html">separate article</a>,
we propose a method by which a nontrivial JavaScript
program in a web page can state the URL where its source code is
located, and can state its license too, using stylized comments.</p>
<p>Finally, we need to change free browsers to detect and block
nontrivial nonfree JavaScript in web pages. The program
<a href="/software/librejs/">LibreJS</a> detects nonfree,
nontrivial JavaScript in pages you visit, and blocks it. LibreJS is
included in IceCat, and available as an add-on for Firefox.</p>
<p>Browser users also need a convenient facility to specify JavaScript
code to use <em>instead</em> of the JavaScript in a certain page.
(The specified code might be total replacement, or a modified version
of the free JavaScript program in that page.) Greasemonkey comes close
to being able to do this, but not quite, since it doesn't guarantee to
modify the JavaScript code in a page before that program starts to
execute. Using a local proxy works, but is too inconvenient now to be
a real solution. We need to construct a solution that is reliable and
convenient, as well as sites for sharing changes. The GNU Project
would like to recommend sites which are dedicated to free changes
only.</p>
<p>These features will make it possible for a JavaScript program included
in a web page to be free in a real and practical sense. JavaScript
will no longer be a particular obstacle to our freedom—no more than
C and Java are now. We will be able to reject and even replace the
nonfree nontrivial JavaScript programs, just as we reject and replace
nonfree packages that are offered for installation in the usual way.
Our campaign for web sites to free their JavaScript can then begin.</p>
<p>In the mean time, there's one case where it is acceptable to run a
nonfree JavaScript program: to send a complaint to the website
operators saying they should free or remove the JavaScript code in the
site. Please don't hesitate to enable JavaScript temporarily to do
that—but remember to disable it again afterwards.</p>
<!-- any links that used to point to the appendices should point to
free-your-javascript.html instead. -->
<div class="announcement">
<hr class="no-display" />
<p>Webmasters: there are
<a href="/software/librejs/free-your-javascript.html">several ways</a>
to indicate the license of JavaScript programs in a web site.</p>
<hr class="no-display" />
</div>
<p><strong>Acknowledgements:</strong> I thank <a href="/people/people.html#mattlee">Matt Lee</a>
and <a href="https://johnresig.com/">John Resig</a> for their help in
defining our proposed criterion, and David Parunakian for
bringing the problem to my attention.</p>
</div>
</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer" role="contentinfo">
<div class="unprintable">
<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF. Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>
<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
replace it with the translation of these two:
We work hard and do our best to provide accurate, good quality
translations. However, we are not exempt from imperfection.
Please send your comments and general suggestions in this regard
to <a href="mailto:web-translators@gnu.org">
<web-translators@gnu.org></a>.</p>
<p>For information on coordinating and contributing translations of
our web pages, see <a
href="/server/standards/README.translations.html">Translations
README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and contributing translations
of this article.</p>
</div>
<!-- Regarding copyright, in general, standalone pages (as opposed to
files generated as part of manuals) on the GNU web server should
be under CC BY-ND 4.0. Please do NOT change or remove this
without talking with the webmasters or licensing team first.
Please make sure the copyright date is consistent with the
document. For web pages, it is ok to list just the latest year the
document was modified, or published.
If you wish to list earlier years, that is ok too.
Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
years, as long as each year in the range is in fact a copyrightable
year, i.e., a year in which the document was published (including
being publicly visible on the web or in a revision control system).
There is more detail about copyright years in the GNU Maintainers
Information document, www.gnu.org/prep/maintain. -->
<p>Copyright © 2009-2013, 2016-2019, 2021 Richard Stallman</p>
<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by-nd/4.0/">Creative
Commons Attribution-NoDerivatives 4.0 International License</a>.</p>
<!--#include virtual="/server/bottom-notes.html" -->
<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2021/10/11 08:59:13 $
<!-- timestamp end -->
</p>
</div>
</div><!-- for class="inner", starts in the banner include -->
</body>
</html>
|
