The JavaScript Trap - GNU Project - Free Software Foundation
www.gnu.org

Context

The JavaScript Trap is the idea that webpages have the ability to transmit programs to the user in the form of uncompressed or compressed JavaScript ("ECMAscript") code. Nearly all web browsers with the exception of GNU Icecat will silently evaluate all of this code by default. Not all JavaScript code is malicious or noteworthy to the user, but much of a JavaScript code run today on the client side is nonfree and therefore creates an uneven relationship between the user and the program. Even if the JS code is intended to be Free, only a proof of license and documentation can ensure it will be Free for its users.

LibreJS

Therefore, the LibreJS extension was created for Firefox derived browsers to be able to dynamically block nonfree JavaScript while also permitting free or otherwise trivial JavaScript to be run.

LibreJS can be obtained directly from the GNU Project here, it can also be installed automatically from the Mozilla Addons page here as well as several workaround scripts for some websites here

LibreJS should not be confused with extensions like NoScript which is used to block any and all JavaScript for security purposes (mostly used when browsing the Tor network). LibreJS is concerned with blocking JavaScript on the basis of software freedom, not security (though many security benefits can be achieved by blocking nonfree JS).

LibreJS should also not be confused with something like Greasemonkey which allows users to create and run their own JavaScript or modify existing ones. Greasemonkey is an example of how users can control their own computing in their web browsers by being able to create their own scripts. Websites that block Greasemonkey (websites which will also include proprietary JS) are therefore unjust.

Hexbear

Lemmy itself is released on the AGPLv3 license, therefore all the JavaScript code from the project is Free. However, that doesn't mean that the code sent by hexbear.net to its users is Free. In fact, this code is unique to hexbear.net specifically.

In fact, LibreJS blocks two scripts from Hexbear that gets run when users connect and render the site in their web browser.

Show

  • The hexbear.net script is uncompressed JavaScript code that sets meta tags, styles, themes, and a custom script to presumably do something important (I am not a web engineer evidently).

  • When it's done, it defers to the client.js script. This script is compacted JavaScript code which is unreadable to humans. It starts with this however:

/*! For license information please see client.js.LICENSE.txt */

LibreJS does not recognize this as free JS code, therefore it is blocked as well. This renders the site unusable as users cannot login nor see posts. They can see the site tagline so at least that code is trivial/free. The only solution is to whitelist the site completely.

Request

I ask the web admins of hexbear.net to liberate their JavaScript code so that it passes the LibreJS check. The resources on how to do that can be found below. LibreJS compliance will demonstrate that hexbear.net stands with creating a freer and more inclusive web for all and with the goals of libre software.

¡Viva software libre!

Errata

  • the client.js code is autogenerated by lemmy and has a free license. It has to do more with Lemmy itself rather than being an instance issue. Perhaps a feature request is in order?
  • you can view the client.js license through LibreJS as well, so there's no issue with whitelisting.
  • jaemeM
    ·
    11 months ago

    Yeah, I noticed this on every lemmy instance I went to so it's not specific to hexbear. Thanks for pointing that out.

    The code is licensed under the MIT expat license so its free. LibreJS does not detect the license file unfortunately.

    It's all free javascript no doubt but it's not created in a way that can get picked up by LibreJS. I'll look into having a feature request for that in Lemmy.

    • faintbeep@lemm.ee
      ·
      11 months ago

      It’s all free javascript no doubt

      Sorry if you already know all this, but just to be clear, the client.js.LICENSE.txt file is generated by the build system by collecting code comments related to licenses from every JavaScript dependency that ends up in bundled into client.js. I noticed this partway down:

      /*!
  Copyright (c) 2015 Jed Watson.
  Based on code that is Copyright 2013-2015, Facebook, Inc.
  All rights reserved.
*/

      So I'm not sure if the code in client.js is all free. Although I suspect that comment comes from exenv, which is actually BSD licensed per the LICENSE file.

      • jaemeM
        ·
        11 months ago

        Oh! Good find, it seems like this rabbit hole goes deeper than I thought.