Context

The JavaScript Trap is the idea that webpages have the ability to transmit programs to the user in the form of uncompressed or compressed JavaScript ("ECMAscript") code. Nearly all web browsers with the exception of GNU Icecat will silently evaluate all of this code by default. Not all JavaScript code is malicious or noteworthy to the user, but much of a JavaScript code run today on the client side is nonfree and therefore creates an uneven relationship between the user and the program. Even if the JS code is intended to be Free, only a proof of license and documentation can ensure it will be Free for its users.

LibreJS

Therefore, the LibreJS extension was created for Firefox derived browsers to be able to dynamically block nonfree JavaScript while also permitting free or otherwise trivial JavaScript to be run.

LibreJS can be obtained directly from the GNU Project here, it can also be installed automatically from the Mozilla Addons page here as well as several workaround scripts for some websites here

LibreJS should not be confused with extensions like NoScript which is used to block any and all JavaScript for security purposes (mostly used when browsing the Tor network). LibreJS is concerned with blocking JavaScript on the basis of software freedom, not security (though many security benefits can be achieved by blocking nonfree JS).

LibreJS should also not be confused with something like Greasemonkey which allows users to create and run their own JavaScript or modify existing ones. Greasemonkey is an example of how users can control their own computing in their web browsers by being able to create their own scripts. Websites that block Greasemonkey (websites which will also include proprietary JS) are therefore unjust.

Hexbear

Lemmy itself is released on the AGPLv3 license, therefore all the JavaScript code from the project is Free. However, that doesn't mean that the code sent by hexbear.net to its users is Free. In fact, this code is unique to hexbear.net specifically.

In fact, LibreJS blocks two scripts from Hexbear that gets run when users connect and render the site in their web browser.

Show

  • The hexbear.net script is uncompressed JavaScript code that sets meta tags, styles, themes, and a custom script to presumably do something important (I am not a web engineer evidently).

  • When it's done, it defers to the client.js script. This script is compacted JavaScript code which is unreadable to humans. It starts with this however:

/*! For license information please see client.js.LICENSE.txt */

LibreJS does not recognize this as free JS code, therefore it is blocked as well. This renders the site unusable as users cannot login nor see posts. They can see the site tagline so at least that code is trivial/free. The only solution is to whitelist the site completely.

Request

I ask the web admins of hexbear.net to liberate their JavaScript code so that it passes the LibreJS check. The resources on how to do that can be found below. LibreJS compliance will demonstrate that hexbear.net stands with creating a freer and more inclusive web for all and with the goals of libre software.

¡Viva software libre!

Errata

  • the client.js code is autogenerated by lemmy and has a free license. It has to do more with Lemmy itself rather than being an instance issue. Perhaps a feature request is in order?
  • you can view the client.js license through LibreJS as well, so there's no issue with whitelisting.
  • xXthrowawayXx [none/use name]
    ·
    1 year ago

    I’ll go a step further:

    Remove all javascript all together.

    This place should look like the wsws.

    • devnev [he/him]
      ·
      1 year ago

      How do you expect the upvote button to work? Reload the page and lose your position on every upvote?

    • jaeme
      hexagon
      ·
      1 year ago

      The lemmy backend stuff is all in Rust. CSS (always) and HTML do not pose any meaningful freedom concerns.

      Client side javascript is responsible for the webpage reactivity and interacting with the backend (the server database). JavaScript is not the enemy here, proprietary JS loaded without the users knowledge is.

    • PaX [comrade/them, they/them]
      ·
      edit-2
      1 year ago

      BASED

      Although actually maybe it would be better to host a separate frontend without any JS alongside the current fancy, slow, wildly overcomplicated, and unportable one for people who like the usual sleek UI

      My dream is Hexbear over 9P one day....

    • jaeme
      hexagon
      ·
      1 year ago

      If you hate javascript may I interest you in NoScript perhaps hehe.

  • faintbeep@lemm.ee
    ·
    1 year ago

    This would be better off as a feature request on the lemmy project. It's likely something hexbear admins can't change without significant work which would have to be repeated on every site update.

    In fact, this code is unique to hexbear.net specifically.

    This is almost certainly just the generic lemmy JS code with some hexbear specific constants (like the site URL) compiled in during deployment. The header script is data-only so the initial render isn't empty.

    /*! For license information please see client.js.LICENSE.txt */

    FYI you can add ".LICENSE.txt" to the javascript URL and read the licenses for all the compiled-in code. It doesn't appear to all be free, but again, likely nothing hexbear admins specifically can do about that.

    • jaeme
      hexagon
      ·
      1 year ago

      Yeah, I noticed this on every lemmy instance I went to so it's not specific to hexbear. Thanks for pointing that out.

      The code is licensed under the MIT expat license so its free. LibreJS does not detect the license file unfortunately.

      It's all free javascript no doubt but it's not created in a way that can get picked up by LibreJS. I'll look into having a feature request for that in Lemmy.

      • faintbeep@lemm.ee
        ·
        1 year ago

        It’s all free javascript no doubt

        Sorry if you already know all this, but just to be clear, the client.js.LICENSE.txt file is generated by the build system by collecting code comments related to licenses from every JavaScript dependency that ends up in bundled into client.js. I noticed this partway down:

        /*!
          Copyright (c) 2015 Jed Watson.
          Based on code that is Copyright 2013-2015, Facebook, Inc.
          All rights reserved.
        */
        

        So I'm not sure if the code in client.js is all free. Although I suspect that comment comes from exenv, which is actually BSD licensed per the LICENSE file.

        • jaeme
          hexagon
          ·
          1 year ago

          Oh! Good find, it seems like this rabbit hole goes deeper than I thought.

  • JackGreenEarth@lemm.ee
    ·
    1 year ago

    So it's just that you don't have a legal license to use the code? JavaScript has to be source available by design, there's no compilation with js.

    • jaeme
      hexagon
      ·
      edit-2
      1 year ago

      Good question.

      JavaScript can be compacted and compressed into human unreadable code. Freedom 1 states that the user must be able to study the source code, "ObfuScript" violates this freedom and therefore makes the JS nonfree. Hexbear's client.js is Obfuscript for example if you examine it using LibreJS.

      Remember that this is nontrivial JavaScript being run on your machine which thus makes it your computing. Server side computing is not relevant here (the distinction between hexbear.net and its lemmy backend)

      The lack of a Free software license (which disregards freedom 2 and 3 of editing and redistribution) and the inability to meaningfully study the source code (freedom 1) plus the fact that many web browsers do this by default without your control (freedom 0) is what makes this a pressing issue.

      there's no compilation with js.

      JavaScript is not compiled directly into machine code, but it can still be compiled into bytecode to be run by an JS runtime (think google V8 engine). Web browsers have become so adept at doing this that the user hardly notices.

      Languages like Python can be obfuscated if they are pre-compiled into byte code.