[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-librejs] Detection of fake license information on websites?

From: Dmitry Alexandrov
Subject: Re: [Help-librejs] Detection of fake license information on websites?
Date: Sun, 03 Feb 2019 00:57:56 +0300
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)

grizzlyuser <address@hidden> wrote:
> In my understanding, the main features of LibreJS are:
> 1. Detect non-free JS.
> 2. Block non-free JS.

Given the state of affairs at the today’s Web, I would phrase it the other way 
around: detect free javascripts and unblock them.  :-)

> One of the main reasons for that is to protect the user from the code that's 
> likely to be malicious in one way or another.
> Yes, there are sandboxes and anti-fingerprinting measures for JS in modern 
> web browsers, but AFAIK they do not provide 100% protection for user safety 
> and privacy anyway.

I’m not affiliated with LibreJS, yet let me tell you, that no, you probably 
misunderstood the goal.  That is not the main reason, not even the secondary.  
Freedom has little to do with maliciousness or ‘privacy’.  Only with freedom.

> If site publisher decides to serve some malicious minified / obfuscated JS 
> code to all the visitors, and provides fake information about the license and 
> source code on the webpage, in order to cheat LibreJS, are there any 
> countermeasures for that?

Well, how can you provide a fake information about the licence?  Except 
perhaps, when you grant rights, which you are not eligible to grant (because 
you are not the proprietor of the program or otherwise).  Note, that does not 
necessary require any evil intentions, it also may be a honest mistake.  In any 
case, that’s a thing we hardly can fully control whatsoever, for any type of 
creative work.

You indeed can toss user a fake sources, though.

> Many software projects currently try to adopt reproducible builds practices 
> [1].
> But due to the nature of the Web, running JS code from untrusted 
> third-parties is very common, and there seems to be no easy solution to 
> follow that practice for every single website.

As far as I am aware, mere ‘minifying’ programs in Javascript contributes 
virtually nothing to their effectiveness, so they hardy may be called ‘builds’. 
 In that case, all we need to ensure that the program is technically free is 
just ignore the existence of ‘minified’ version one and run the actual source.

This is not panacea, however.  It is possible, that the source is not directly 
runnable by browser, but indeed may require some building from another 
language, such as Coffescript.

> Instead of LibreJS, for now I chose to disable JS altogether on almost all 
> websites I visit.

That is, probably, a good choice.  I do the same.

> Extensions like NoScript and uBlock Origin both can block all JS code by 
> default on non-whitelisted websites.

I chose µMatrix, since unlike µBlock (by the same author) it not only blocks 
scripts but also properly shows <noscript> content when they are blocked, and 
unlike NoScript, which does that unconditionally, it allows to alter this 
behaviour on per-domain basis.  It also provides an interface to cookies’ 
policy and all other supported content policies, while µBlock only to some.  
(No, I have no a slightest idea, why their author decided to release two 
programs with deeply yet not completely intersecting featuresets.)

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]