[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-librejs] Detection of fake license information on websites?
From: |
grizzlyuser |
Subject: |
[Help-librejs] Detection of fake license information on websites? |
Date: |
Sat, 02 Feb 2019 13:20:48 +0000 |
Some time ago I tried to use LibreJS in my default web browser, but then
disabled it, because of lack of good understanding of how does it work and what
exactly it does.
In my understanding, the main features of LibreJS are:
1. Detect non-free JS.
2. Block non-free JS. One of the main reasons for that is to protect the user
from the code that's likely to be malicious in one way or another. Yes, there
are sandboxes and anti-fingerprinting measures for JS in modern web browsers,
but AFAIK they do not provide 100% protection for user safety and privacy
anyway.
Now let's imagine the user-base of LibreJS is huge, and many websites have to
take that user-base into account (unfortunately, I doubt all this is true now).
If site publisher decides to serve some malicious minified / obfuscated JS code
to all the visitors, and provides fake information about the license and source
code on the webpage, in order to cheat LibreJS, are there any countermeasures
for that?
If there's nothing, then both those main features fail to work in that specific
case. I understand, that this issue is not unique to LibreJS only, but to all
software in general. Many software projects currently try to adopt reproducible
builds practices [1]. But due to the nature of the Web, running JS code from
untrusted third-parties is very common, and there seems to be no easy solution
to follow that practice for every single website.
Instead of LibreJS, for now I chose to disable JS altogether on almost all
websites I visit. Extensions like NoScript and uBlock Origin both can block all
JS code by default on non-whitelisted websites.
As studying and understanding full source code of LibreJS is not my top
priority currently (unfortunately), I decided to ask here about the issue I'm
concerned about, so maybe someone familiar with the internal workings will be
able to answer it.
[1]: https://reproducible-builds.org/
- [Help-librejs] Detection of fake license information on websites?,
grizzlyuser <=