help-librejs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-librejs] Detection of fake license information on websites?


From: grizzlyuser
Subject: [Help-librejs] Detection of fake license information on websites?
Date: Sat, 02 Feb 2019 13:20:48 +0000

Some time ago I tried to use LibreJS in my default web browser, but then 
disabled it, because of lack of good understanding of how does it work and what 
exactly it does.

In my understanding, the main features of LibreJS are:
1. Detect non-free JS.
2. Block non-free JS. One of the main reasons for that is to protect the user 
from the code that's likely to be malicious in one way or another. Yes, there 
are sandboxes and anti-fingerprinting measures for JS in modern web browsers, 
but AFAIK they do not provide 100% protection for user safety and privacy 
anyway.

Now let's imagine the user-base of LibreJS is huge, and many websites have to 
take that user-base into account (unfortunately, I doubt all this is true now). 
If site publisher decides to serve some malicious minified / obfuscated JS code 
to all the visitors, and provides fake information about the license and source 
code on the webpage, in order to cheat LibreJS, are there any countermeasures 
for that?

If there's nothing, then both those main features fail to work in that specific 
case. I understand, that this issue is not unique to LibreJS only, but to all 
software in general. Many software projects currently try to adopt reproducible 
builds practices [1]. But due to the nature of the Web, running JS code from 
untrusted third-parties is very common, and there seems to be no easy solution 
to follow that practice for every single website.

Instead of LibreJS, for now I chose to disable JS altogether on almost all 
websites I visit. Extensions like NoScript and uBlock Origin both can block all 
JS code by default on non-whitelisted websites.

As studying and understanding full source code of LibreJS is not my top 
priority currently (unfortunately), I decided to ask here about the issue I'm 
concerned about, so maybe someone familiar with the internal workings will be 
able to answer it.

[1]: https://reproducible-builds.org/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]