[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-librejs] Detection of fake license information on websites?
|
From: |
Dmitry Alexandrov |
|
Subject: |
Re: [Help-librejs] Detection of fake license information on websites? |
|
Date: |
Sun, 03 Feb 2019 00:57:56 +0300 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) |
grizzlyuser <address@hidden> wrote:
> In my understanding, the main features of LibreJS are:
> 1. Detect non-free JS.
> 2. Block non-free JS.
Given the state of affairs at the today’s Web, I would phrase it the other way
around: detect free javascripts and unblock them. :-)
> One of the main reasons for that is to protect the user from the code that's
> likely to be malicious in one way or another.
>
> Yes, there are sandboxes and anti-fingerprinting measures for JS in modern
> web browsers, but AFAIK they do not provide 100% protection for user safety
> and privacy anyway.
I’m not affiliated with LibreJS, yet let me tell you, that no, you probably
misunderstood the goal. That is not the main reason, not even the secondary.
Freedom has little to do with maliciousness or ‘privacy’. Only with freedom.
> If site publisher decides to serve some malicious minified / obfuscated JS
> code to all the visitors, and provides fake information about the license and
> source code on the webpage, in order to cheat LibreJS, are there any
> countermeasures for that?
Well, how can you provide a fake information about the licence? Except
perhaps, when you grant rights, which you are not eligible to grant (because
you are not the proprietor of the program or otherwise). Note, that does not
necessary require any evil intentions, it also may be a honest mistake. In any
case, that’s a thing we hardly can fully control whatsoever, for any type of
creative work.
You indeed can toss user a fake sources, though.
> Many software projects currently try to adopt reproducible builds practices
> [1].
>
> But due to the nature of the Web, running JS code from untrusted
> third-parties is very common, and there seems to be no easy solution to
> follow that practice for every single website.
As far as I am aware, mere ‘minifying’ programs in Javascript contributes
virtually nothing to their effectiveness, so they hardy may be called ‘builds’.
In that case, all we need to ensure that the program is technically free is
just ignore the existence of ‘minified’ version one and run the actual source.
This is not panacea, however. It is possible, that the source is not directly
runnable by browser, but indeed may require some building from another
language, such as Coffescript.
> Instead of LibreJS, for now I chose to disable JS altogether on almost all
> websites I visit.
That is, probably, a good choice. I do the same.
> Extensions like NoScript and uBlock Origin both can block all JS code by
> default on non-whitelisted websites.
I chose µMatrix, since unlike µBlock (by the same author) it not only blocks
scripts but also properly shows <noscript> content when they are blocked, and
unlike NoScript, which does that unconditionally, it allows to alter this
behaviour on per-domain basis. It also provides an interface to cookies’
policy and all other supported content policies, while µBlock only to some.
(No, I have no a slightest idea, why their author decided to release two
programs with deeply yet not completely intersecting featuresets.)
signature.asc
Description: PGP signature