Context

The JavaScript Trap is the idea that webpages have the ability to transmit programs to the user in the form of uncompressed or compressed JavaScript ("ECMAscript") code. Nearly all web browsers with the exception of GNU Icecat will silently evaluate all of this code by default. Not all JavaScript code is malicious or noteworthy to the user, but much of a JavaScript code run today on the client side is nonfree and therefore creates an uneven relationship between the user and the program. Even if the JS code is intended to be Free, only a proof of license and documentation can ensure it will be Free for its users.

LibreJS

Therefore, the LibreJS extension was created for Firefox derived browsers to be able to dynamically block nonfree JavaScript while also permitting free or otherwise trivial JavaScript to be run.

LibreJS can be obtained directly from the GNU Project here, it can also be installed automatically from the Mozilla Addons page here as well as several workaround scripts for some websites here

LibreJS should not be confused with extensions like NoScript which is used to block any and all JavaScript for security purposes (mostly used when browsing the Tor network). LibreJS is concerned with blocking JavaScript on the basis of software freedom, not security (though many security benefits can be achieved by blocking nonfree JS).

LibreJS should also not be confused with something like Greasemonkey which allows users to create and run their own JavaScript or modify existing ones. Greasemonkey is an example of how users can control their own computing in their web browsers by being able to create their own scripts. Websites that block Greasemonkey (websites which will also include proprietary JS) are therefore unjust.

Hexbear

Lemmy itself is released on the AGPLv3 license, therefore all the JavaScript code from the project is Free. However, that doesn't mean that the code sent by hexbear.net to its users is Free. In fact, this code is unique to hexbear.net specifically.

In fact, LibreJS blocks two scripts from Hexbear that gets run when users connect and render the site in their web browser.

Show

  • The hexbear.net script is uncompressed JavaScript code that sets meta tags, styles, themes, and a custom script to presumably do something important (I am not a web engineer evidently).

  • When it's done, it defers to the client.js script. This script is compacted JavaScript code which is unreadable to humans. It starts with this however:

/*! For license information please see client.js.LICENSE.txt */

LibreJS does not recognize this as free JS code, therefore it is blocked as well. This renders the site unusable as users cannot login nor see posts. They can see the site tagline so at least that code is trivial/free. The only solution is to whitelist the site completely.

Request

I ask the web admins of hexbear.net to liberate their JavaScript code so that it passes the LibreJS check. The resources on how to do that can be found below. LibreJS compliance will demonstrate that hexbear.net stands with creating a freer and more inclusive web for all and with the goals of libre software.

¡Viva software libre!

Errata

  • the client.js code is autogenerated by lemmy and has a free license. It has to do more with Lemmy itself rather than being an instance issue. Perhaps a feature request is in order?
  • you can view the client.js license through LibreJS as well, so there's no issue with whitelisting.
  • jaeme
    hexagon
    ·
    edit-2
    1 year ago

    Good question.

    JavaScript can be compacted and compressed into human unreadable code. Freedom 1 states that the user must be able to study the source code, "ObfuScript" violates this freedom and therefore makes the JS nonfree. Hexbear's client.js is Obfuscript for example if you examine it using LibreJS.

    Remember that this is nontrivial JavaScript being run on your machine which thus makes it your computing. Server side computing is not relevant here (the distinction between hexbear.net and its lemmy backend)

    The lack of a Free software license (which disregards freedom 2 and 3 of editing and redistribution) and the inability to meaningfully study the source code (freedom 1) plus the fact that many web browsers do this by default without your control (freedom 0) is what makes this a pressing issue.

    there's no compilation with js.

    JavaScript is not compiled directly into machine code, but it can still be compiled into bytecode to be run by an JS runtime (think google V8 engine). Web browsers have become so adept at doing this that the user hardly notices.

    Languages like Python can be obfuscated if they are pre-compiled into byte code.