<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.79 1.84 -->
<title>The JavaScript Trap</title>
<!--#include virtual="/philosophy/po/javascript-trap.translist" -->
<!--#include virtual="/server/banner.html" -->

<h2>The JavaScript Trap</h2>

<p>by <a href="http://www.stallman.org/">Richard Stallman</a></p>

<p><strong>You may be running nonfree programs on your computer every
day without realizing it—through your web browser.</strong></p>

<!-- any links that used to point to the appendices should point to
     free-your-javascript.html instead.  -->

<blockquote>
<p>Webmasters: there are
<a href="/software/librejs/free-your-javascript.html">several ways</a>
to indicate the license of JavaScript programs in a web site.</p>
</blockquote>

<p>In the free software community, the idea that nonfree programs
mistreat their users is familiar.  Some of us defend our freedom by
rejecting all proprietary software on our computers.  Many others
recognize nonfreeness as a strike against the program.</p>

<p>Many users are aware that this issue applies to the plug-ins that
browsers offer to install, since they can be free or nonfree.  But
browsers run other nonfree programs which they don't ask you about, or
even tell you about—programs that web pages contain or link to.
These programs are most often written in JavaScript, though other
languages are also used.</p>

<p>JavaScript (officially called ECMAScript, but few use that name)
was once used for minor frills in web pages, such as cute but
inessential navigation and display features.  It was acceptable to
consider these as mere extensions of HTML markup, rather than as true
software, and disregard the issue.</p>

<p>Many sites still use JavaScript that way, but some use it for major
programs that do large jobs.  For instance, Google Docs tries to download into
your machine a JavaScript program which measures half a megabyte, in a
compacted form that we could call Obfuscript because it has no
comments and hardly any whitespace, and the method names are one
letter long.  The source code of a program is the preferred form for
modifying it; the compacted code is not source code, and the real
source code of this program is not available to the user.</p>

<p>In addition to being nonfree, many of these programs are malware
because
they <a href="http://github.com/w3c/fingerprinting-guidance/issues/8">snoop
on the user</a>.</p>

<p>Browsers don't normally tell you when they load JavaScript
programs.  Some browsers have a way to turn off JavaScript entirely,
but even if you're aware of this issue, it would take you considerable
trouble to identify the nontrivial nonfree programs and block them.
However, even in the free software community most users are not aware
of this issue; the browsers' silence tends to conceal it.</p>

<p>It is possible to release a JavaScript program as free software, by
distributing the source code under a free software license.  If the
program is self-contained—if its functioning and purpose are
independent of the page it came in—that is fine; you can copy it
to a file on your machine, modify it, and visit that file with a
browser to run it.  But that is an unusual case.</p>

<p>In the usual case, JavaScript programs are meant to work with a
particular page or site, and the page or site depends on them to
function.  Then another problem arises: even if the program's source
is available, browsers do not offer a way to run your modified version
instead of the original when visiting that page or site.  The effect
is comparable to tivoization, although in principle not quite so hard
to overcome.</p>

<p>JavaScript is not the only language web sites use for programs sent
to the user.  Flash supports programming through an extended variant
of JavaScript; if we ever have a sufficiently complete free Flash
player, we will need to deal with the issue of nonfree Flash programs.
Silverlight seems likely to create a problem similar to Flash, except
worse, since Microsoft uses it as a platform for nonfree codecs.  A
free replacement for Silverlight does not do the job for the free
world unless it normally comes with free replacement codecs.</p>

<p>Java applets also run in the browser, and raise similar issues.  In
general, any sort of applet system poses this sort of problem.  Having
a free execution environment for an applet only brings us far enough
to encounter the problem.</p>

<p>It is theoretically possible to program in HTML and CSS, but in
practice this capability is limited and inconvenient; merely to make
it do something is an impressive hack.  Such programs ought to be
free, but CSS is not a serious problem for users' freedom as of
2016.</p>

<p>A strong movement has developed that calls for web sites to
communicate only through formats and protocols that are free (some say
"open"); that is to say, whose documentation is published and which
anyone is free to implement.  With the presence of programs in web
pages, that criterion is necessary, but not sufficient.  JavaScript
itself, as a format, is free, and use of JavaScript in a web site is
not necessarily bad.  However, as we've seen above, it also isn't
necessarily OK.  When the site transmits a program to the user, it is
not enough for the program to be written in a documented and
unencumbered language; that program must be free, too.  “Only free
programs transmitted to the user” must become part of the criterion
for proper behavior by web sites.</p>

<p>Silently loading and running nonfree programs is one among several
issues raised by "web applications".  The term "web
application" was designed to disregard the fundamental
distinction between software delivered to users and software running
on a server.  It can refer to a specialized client program running
in a browser; it can refer to specialized server software; it can
refer to a specialized client program that works hand in hand with
specialized server software.  The client and server sides raise
different ethical issues, even if they are so closely integrated that
they arguably form parts of a single program.  This article addresses
only the issue of the client-side software.  We are addressing the
server issue separately.</p>

<p>In practical terms, how can we deal with the problem of nontrivial nonfree
JavaScript programs in web sites?  The first step is to avoid running
it.</p>

<p>What do we mean by "nontrivial"?  It is a matter of
degree, so this is a matter of designing a simple criterion that gives
good results, rather than finding the one correct answer.</p>
<p>
Our tentative policy is to consider a JavaScript program nontrivial if:</p>

<ul>
  <li>it makes an AJAX request or is loaded along with scripts that make
    an AJAX request,</li>

  <li>it loads external scripts dynamically or is loaded along with
    scripts that do,</li>

  <li>it defines functions or methods and either loads an external script
    (from html) or is loaded as one,</li>
  
  <li>it uses dynamic JavaScript constructs that are difficult to analyze
    without interpreting the program, or is loaded along with scripts
    that use such constructs.  These constructs are:
    <ul>
      <li>using the eval function,</li>
      <li>calling methods with the square bracket notation,</li>
      <li>using any other construct than a string literal with
	certain methods (Obj.write, Obj.createElement, ...).</li>
    </ul>
  </li>
</ul>

<p>How do we tell whether the JavaScript code is free?  In a <a 
href="/licenses/javascript-labels.html">separate article</a>,
we propose a method by which a nontrivial JavaScript
program in a web page can state the URL where its source code is
located, and can state its license too, using stylized comments.</p>

<p>Finally, we need to change free browsers to detect and block
nontrivial nonfree JavaScript in web pages.  The program
<a href="/software/librejs/">LibreJS</a> detects nonfree,
nontrivial JavaScript in pages you visit, and blocks it.  LibreJS is
included in IceCat, and available as an add-on for Firefox.</p>

<p>Browser users also need a convenient facility to specify JavaScript
code to use <em>instead</em> of the JavaScript in a certain page.
(The specified code might be total replacement, or a modified version
of the free JavaScript program in that page.)  Greasemonkey comes close
to being able to do this, but not quite, since it doesn't guarantee to
modify the JavaScript code in a page before that program starts to
execute.  Using a local proxy works, but is too inconvenient now to be
a real solution.  We need to construct a solution that is reliable and
convenient, as well as sites for sharing changes.  The GNU Project
would like to recommend sites which are dedicated to free changes
only.</p>

<p>These features will make it possible for a JavaScript program included
in a web page to be free in a real and practical sense.  JavaScript
will no longer be a particular obstacle to our freedom—no more than
C and Java are now.  We will be able to reject and even replace the
nonfree nontrivial JavaScript programs, just as we reject and replace
nonfree packages that are offered for installation in the usual way.
Our campaign for web sites to free their JavaScript can then begin.</p>

<p>In the mean time, there's one case where it is acceptable to run a
nonfree JavaScript program: to send a complaint to the website
operators saying they should free or remove the JavaScript code in the
site.  Please don't hesitate to enable JavaScript temporarily to do
that—but remember to disable it again afterwards.</p>

<!-- any links that used to point to the appendices should point to
     free-your-javascript.html instead.  -->

<blockquote>
<p>Webmasters: there are
<a href="/software/librejs/free-your-javascript.html">several ways</a>
to indicate the license of JavaScript programs in a web site.</p>
</blockquote>

<p><strong>Acknowledgements:</strong> I thank <a href="/people/people.html#mattlee">Matt Lee</a>
and <a href="http://ejohn.org">John Resig</a> for their help in
defining our proposed criterion, and David Parunakian for
bringing the problem to my attention.</p>

</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">
        <web-translators@gnu.org></a>.</p>

        <p>For information on coordinating and submitting translations of
        our web pages, see <a
        href="/server/standards/README.translations.html">Translations
        README</a>. -->
Please see the <a
href="/server/standards/README.translations.html">Translations
README</a> for information on coordinating and submitting translations
of this article.</p>
</div>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.
     
     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).
     
     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2009-2013, 2016, 2017 2017, 2018 Richard Stallman</p>

<p>This page is licensed under a <a rel="license"
href="http://creativecommons.org/licenses/by-nd/4.0/">Creative
Commons Attribution-NoDerivatives 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2018/02/09 09:04:47 $
<!-- timestamp end -->
</p>
</div>
</div>
</body>
</html>