summaryrefslogtreecommitdiff
path: root/docs/javascript-trap.md
diff options
context:
space:
mode:
authorTong Hui <tonghuix@gmail.com>2016-03-25 16:52:03 +0800
committerTong Hui <tonghuix@gmail.com>2016-03-25 16:52:03 +0800
commit5d6f7b414de4b04ddc19629ac6d1f5e5f3cb42ac (patch)
treeb7d47d7d26bf9cd76ceeae138c71d4a99c7ac662 /docs/javascript-trap.md
downloadfsfs-zh-5d6f7b414de4b04ddc19629ac6d1f5e5f3cb42ac.tar.xz
first
Diffstat (limited to 'docs/javascript-trap.md')
-rw-r--r--docs/javascript-trap.md265
1 files changed, 265 insertions, 0 deletions
diff --git a/docs/javascript-trap.md b/docs/javascript-trap.md
new file mode 100644
index 0000000..84460e5
--- /dev/null
+++ b/docs/javascript-trap.md
@@ -0,0 +1,265 @@
+---
+Generator: 'texi2html 1.82'
+description: Untitled Document
+distribution: global
+keywords: Untitled Document
+resource-type: document
+title: Untitled Document
+...
+
+1. The JavaScript Trap {#the-javascript-trap .chapter}
+======================
+
+@firstcopyingnotice{{Copyright © 2009–2013 Richard Stallman\
+ {This essay was first published on <http://gnu.org>, in 2009. This
+version is part of @fsfsthreecite}
+
+> **You may be running nonfree programs on your computer every day
+> without realizing it—through your web browser.**
+
+In the free software community, the idea that nonfree programs mistreat
+their users is familiar. Some of us refuse entirely to install
+proprietary software, and many others consider nonfreedom a strike
+against the program. Many users are aware that this issue applies to the
+plug-ins that browsers offer to install, since they can be free or
+nonfree.
+
+But browsers run other nonfree programs which they don’t ask you about
+or even tell you about—programs that web pages contain or link to. These
+programs are most often written in JavaScript, though other languages
+are also used.
+
+JavaScript (officially called ECMAScript, but few use that name) was
+once used for minor frills in web pages, such as cute but inessential
+navigation and display features. It was acceptable to consider these as
+mere extensions of HTML markup, rather than as true software; they did
+not constitute a significant issue.
+
+Many sites still use JavaScript that way, but some use it for major
+programs that do large jobs. For instance, Google Docs downloads into
+your machine a JavaScript program which measures half a megabyte, in a
+compacted form that we could call Obfuscript because it has no comments
+and hardly any whitespace, and the method names are one letter long. The
+source code of a program is the preferred form for modifying it; the
+compacted code is not source code, and the real source code of this
+program is not available to the user.
+
+Browsers don’t normally tell you when they load JavaScript programs.
+Most browsers have a way to turn off JavaScript entirely, but none of
+them can check for JavaScript programs that are nontrivial and nonfree.
+Even if you’re aware of this issue, it would take you considerable
+trouble to identify and then block those programs. However, even in the
+free software community most users are not aware of this issue; the
+browsers’ silence tends to conceal it.
+
+It is possible to release a JavaScript program as free software, by
+distributing the source code under a free software license. But even if
+the program’s source is available, there is no easy way to run your
+modified version instead of the original. Current free browsers do not
+offer a facility to run your own modified version instead of the one
+delivered in the page. The effect is comparable to tivoization, although
+not quite so hard to overcome.
+
+JavaScript is not the only language web sites use for programs sent to
+the user. Flash supports programming through an extended variant of
+JavaScript. We will need to study the issue of Flash to make suitable
+recommendations. Silverlight seems likely to create a problem similar to
+Flash, except worse, since Microsoft uses it as a platform for nonfree
+codecs. A free replacement for Silverlight does not do the job for the
+free world unless it normally comes with free replacement codecs.
+
+Java applets also run in the browser, and raise similar issues. In
+general, any sort of applet system poses this sort of problem. Having a
+free execution environment for an applet only brings us far enough to
+encounter the problem.
+
+A strong movement has developed that calls for web sites to communicate
+only through formats and protocols that are free (some say “open”); that
+is to say, whose documentation is published and which anyone is free to
+implement. With the presence of programs in web pages, that criterion is
+necessary, but not sufficient. JavaScript itself, as a format, is free,
+and use of JavaScript in a web site is not necessarily bad. However, as
+we’ve seen above, it also isn’t necessarily OK. When the site transmits
+a program to the user, it is not enough for the program to be written in
+a documented and unencumbered language; that program must be free, too.
+“Only free programs transmitted to the user” must become part of the
+criterion for proper behavior by web sites.
+
+Silently loading and running nonfree programs is one among several
+issues raised by “web applications.” The term “web application” was
+designed to disregard the fundamental distinction between software
+delivered to users and software running on the server. It can refer to a
+specialized client program running in a browser; it can refer to
+specialized server software; it can refer to a specialized client
+program that works hand in hand with specialized server software. The
+client and server sides raise different ethical issues, even if they are
+so closely integrated that they arguably form parts of a single program.
+This article addresses only the issue of the client-side software. We
+are addressing the server issue separately.
+
+In practical terms, how can we deal with the problem of nonfree
+JavaScript programs in web sites? The first step is to avoid running it.
+
+What do we mean by “nontrivial”? It is a matter of degree, so this is a
+matter of designing a simple criterion that gives good results, rather
+than finding the one correct answer.
+
+Our tentative policy is to consider a JavaScript program nontrivial if:
+
+- it makes an AJAX request or is loaded along with scripts that make
+ an AJAX request,
+- it loads external scripts dynamically or is loaded along with
+ scripts that do,
+- it defines functions or methods and either loads an external script
+ (from html) or is loaded as one,
+- it uses dynamic JavaScript constructs that are difficult to analyze
+ without interpreting the program, or is loaded along with scripts
+ that use such constructs. These constructs are:
+
+ @jstrap
+
+ - using the eval function,
+ - calling methods with the square bracket notation,
+ - using any other construct than a string literal with certain
+ methods (Obj.write, Obj.createElement,…).
+
+How do we tell whether the JavaScript code is free? At the end of this
+article we propose a convention by which a nontrivial JavaScript program
+in a web page can state the URL where its source code is located, and
+can state its license too, using stylized comments.
+
+Finally, we need to change free browsers to detect and block nontrivial
+nonfree JavaScript in web pages. The program LibreJS detects nonfree,
+nontrivial JavaScript in pages you visit, and blocks it.[(1)](#FOOT1)
+LibreJS is an add-on for IceCat and IceWeasel (and Firefox).
+
+Browser users also need a convenient facility to specify JavaScript code
+to use *instead* of the JavaScript in a certain page. (The specified
+code might be total replacement, or a modified version of the free
+JavaScript program in that page.) Greasemonkey comes close to being able
+to do this, but not quite, since it doesn’t guarantee to modify the
+JavaScript code in a page before that program starts to execute. Using a
+local proxy works, but is too inconvenient now to be a real solution. We
+need to construct a solution that is reliable and convenient, as well as
+sites for sharing changes. The GNU Project would like to recommend sites
+which are dedicated to free changes only.
+
+These features will make it possible for a JavaScript program included
+in a web page to be free in a real and practical sense. JavaScript will
+no longer be a particular obstacle to our freedom—no more than C and
+Java are now. We will be able to reject and even replace the nonfree
+nontrivial JavaScript programs, just as we reject and replace nonfree
+packages that are offered for installation in the usual way. Our
+campaign for web sites to free their JavaScript can then begin.
+
+In the mean time, there’s one case where it is acceptable to run a
+nonfree JavaScript program: to send a complaint to the web site
+operators saying they should free or remove the JavaScript code in the
+site. Please don’t hesitate to enable JavaScript temporarily to do
+that—but remember to disable it again afterwards.
+
+### Appendix A: A Convention for Releasing Free JavaScript Programs {#appendix-a-a-convention-for-releasing-free-javascript-programs .subheading}
+
+For references to corresponding source code, we recommend
+
++--------------------------------------+--------------------------------------+
+|   | ``` {.smallexample} |
+| | // @source: |
+| | ``` |
++--------------------------------------+--------------------------------------+
+
+followed by the URL. This satisfies the GNU GPL’s requirement to
+distribute source code. If the source is on a different site, you must
+take care to handle that properly. Source code is necessary for the
+program to be free.
+
+To indicate the license of the JavaScript code embedded in a page, we
+recommend putting the license notice between two notes of this form:
+
++--------------------------------------+--------------------------------------+
+|   | ``` {.smallexample} |
+| | @licstart The following is the |
+| | entire license notice for the |
+| | JavaScript code in this page. |
+| | ... |
+| | @licend The above is the entire |
+| | license notice |
+| | for the JavaScript code in this |
+| | page. |
+| | ``` |
++--------------------------------------+--------------------------------------+
+
+Of course, all of this should be contained in a multiline comment.
+
+The GNU GPL, like many other free software licenses, requires
+distribution of a copy of the license with both source and binary forms
+of the program. However, the GNU GPL is long enough that including it in
+a page with a JavaScript program can be inconvenient. You can remove
+that requirement, for code that you have the copyright on, with a
+license notice like this:
+
++--------------------------------------+--------------------------------------+
+|   | ``` {.smallexample} |
+| | Copyright (C) YYYY Developer |
+| | |
+| | The JavaScript code in this page |
+| | is free software: you can |
+| | redistribute it and/or modify it |
+| | under the terms of the GNU |
+| | General Public License (GNU GPL) |
+| | as published by the Free Software |
+| | Foundation, either version 3 of |
+| | the License, or (at your option) |
+| | any later version. The code is |
+| | distributed WITHOUT ANY WARRANTY; |
+| | without even the implied warrant |
+| | y of MERCHANTABILITY or FITNESS |
+| | FOR A PARTICULAR PURPOSE. See t |
+| | he GNU GPL for more details. |
+| | |
+| | As additional permission under G |
+| | NU GPL version 3 section 7, you |
+| | may distribute non-source (e.g., |
+| | minimized or compacted) forms of |
+| | that code without the copy of th |
+| | e GNU GPL normally required by |
+| | section 4, provided you include |
+| | this license notice and a URL |
+| | through which recipients can acc |
+| | ess the Corresponding Source. |
+| | ``` |
++--------------------------------------+--------------------------------------+
+
+I thank Jaffar Rumith for bringing this issue to my attention.
+
+### Appendix B: Publishing Free JavaScript Programs As a Webmaster {#appendix-b-publishing-free-javascript-programs-as-a-webmaster .subheading}
+
+If you’re a webmaster deploying free JavaScript software on your site,
+clearly and consistently publishing information about those files’
+licenses and source code helps your visitors make sure that they’re
+running free software, and help you comply with license conditions.
+
+One method of stating the licenses is the one described above in
+Appendix A. A second method, JavaScript license web labels, can be more
+convenient for libraries of minified JavaScript code, especially when
+you didn’t write them.
+
+<div class="footnote">
+
+------------------------------------------------------------------------
+
+### Footnotes
+
+### [(1)](#DOCF1)
+
+@raggedright The LibreJS project (<http://gnu.org/software/librejs/>) is
+in need of JavaScript programmers. If you have the necessary skills,
+please help us maintain this valuable browser extension. @end
+raggedright
+
+</div>
+
+------------------------------------------------------------------------
+
+This document was generated by *tonghuix* on *March 25, 2016* using
+[*texi2html 1.82*](http://www.nongnu.org/texi2html/).\