<!--#include virtual="/server/header.html" -->
<!-- Parent-Version: 1.84 1.96 -->
<!-- This page is derived from /server/standards/boilerplate.html -->
<!--#set var="TAGS" value="essays licensing traps" -->
<!--#set var="DISABLE_TOP_ADDENDUM" value="yes" -->
<title>The JavaScript Trap</title> Trap - GNU Project - Free Software Foundation</title>
<!--#include virtual="/philosophy/po/javascript-trap.translist" -->
<!--#include virtual="/server/banner.html" -->
<!--#include virtual="/philosophy/ph-breadcrumb.html" -->
<!--#include virtual="/server/top-addendum.html" -->
<div class="article reduced-width">
<h2>The JavaScript Trap</h2>


<address class="byline">by <a href="http://www.stallman.org/">Richard Stallman</a></p> href="https://www.stallman.org/">Richard

<p><strong>You may be running nonfree programs on your computer every
day without realizing it—through your web browser.</strong></p>

<!-- any links that used to point to the appendices should point to
     free-your-javascript.html instead.  -->


<div class="announcement">
<hr class="no-display" />
<p>Webmasters: there are
<a href="/software/librejs/free-your-javascript.html">several ways</a>
to indicate the license of JavaScript programs in a web site.</p>
<hr class="no-display" />

<p>In the free software community, the idea that
<a href="/philosophy/free-software-even-more-important.html">
any nonfree programs
mistreat their users program mistreats its users</a> is familiar.  Some of us
defend our freedom by rejecting all proprietary software on our
computers.  Many others recognize nonfreeness as a strike against the

<p>Many users are aware that this issue applies to the plug-ins that
browsers offer to install, since they can be free or nonfree.  But
browsers run other nonfree programs which they don't ask you about, or
even tell you about—programs that web pages contain or link to.
These programs are most often written in JavaScript, though other
languages are also used.</p>

<p>JavaScript (officially called ECMAScript, but few use that name)
was once used for minor frills in web pages, such as cute but
inessential navigation and display features.  It was acceptable to
consider these as mere extensions of HTML markup, rather than as true
software, and disregard the issue.</p>


<p>Some sites still use JavaScript that way, but some many use it for major
programs that do large jobs.  For instance, Google Docs tries to download
install into your machine browser a JavaScript program which measures half a
megabyte, in a compacted form that we could call Obfuscript because it has no
comments Obfuscript.  This
compacted form is made from the source code, by deleting the extra
spaces that make the code readable and hardly any whitespace, the explanatory remarks that
make it comprehensible, and replacing each meaningful name in the method names are one
letter long. code
with an arbitrary short name so we can't tell what it is supposed to

<p>Part of the <a href="/philosophy/free-sw.html">meaning of free
software</a> is that users have access to the program's source code
(its plan).  The source code of a program is means the preferred form for
modifying it; the compacted
programmers to modify—including helpful spacing, explanatory
remarks, and meaningful names.  Compacted code is not a bogus, useless
substitute for source code, and code; the real source code of this program these programs is
not available to the user.</p> users, so users cannot understand it; therefore
the programs are nonfree.</p>

<p>In addition to being nonfree, many of these programs
are malware <em>malware</em> because
they <a href="http://github.com/w3c/fingerprinting-guidance/issues/8">snoop href="https://github.com/w3c/fingerprinting-guidance/issues/8">snoop
on the user</a>.</p> user</a>.  Even nastier, some sites use services which record
<a href="https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/">all
the user's actions while looking at the page</a>.  The services
supposedly “redact” the recordings to exclude some
sensitive data that the web site shouldn't get.  But even if that
works reliably, the whole purpose of these services is to give the web
site other personal data that it shouldn't get.</p>

<p>Browsers don't normally tell you when they load JavaScript
programs.  Some browsers have a way to turn off JavaScript entirely,
but even if you're aware of this issue, it would take you considerable
trouble to identify the nontrivial nonfree programs and block them.
However, even in the free software community most users are not aware
of this issue; the browsers' silence tends to conceal it.</p>


<p>To be clear, the language JavaScript is not inherently better or worse 
for users' freedom than any other language.
It is possible to release a JavaScript program as free software, by
distributing the source code under a free software license.  If the
program is self-contained—if its functioning and purpose are
independent of the page it came in—that is fine; you can copy it
to a file on your machine, modify it, and visit that file with a
browser to run it.  But that is an unusual case.</p>

<p>In  It's even possible to package it for installation
just like other free programs and invocation with a shell command.
These programs present no special moral issue different from those
of C programs.</p>

<p>The issue of the usual case, JavaScript trap applies when the JavaScript
program comes along with a web page that users visit.
Those JavaScript programs are meant written to work with a
particular page or site, and the page or site depends on them to

<p>Suppose you copy and modify the page's JavaScript code.
Then another problem arises: even if the program's source
is available, browsers do not offer a way to run your modified version
instead of the original when visiting that page or site.  The effect
is comparable to tivoization, although in principle not quite so hard
to overcome.</p>

<p>JavaScript is not the only language web sites use for programs sent
to the user.  Flash supports supported programming through an extended variant
of JavaScript; if we ever have JavaScript, but that is a sufficiently complete free Flash
player, we will need to deal with the issue thing of nonfree Flash programs. the past.  Microsoft Silverlight
seems likely to create a problem similar to Flash, except worse, since
Microsoft uses it as a platform for nonfree codecs.  A free
replacement for Silverlight does not do the job adequately for the
free world unless it normally comes with free replacement codecs.</p>

<p>Java applets also run in the browser, and raise similar issues.  In
general, any sort of applet system poses this sort of problem.  Having
a free execution environment for an applet only brings us far enough
to encounter the problem.</p>

<p>It is theoretically possible to program in HTML and CSS, but in
practice this capability is limited and inconvenient; merely to make
it do something is an impressive hack.  Such programs ought to be
free, but CSS is not a serious problem for users' freedom as of

<p>A strong movement has developed that calls for web sites to
communicate only through formats and protocols that are free (some say
“open”); that is to say, whose documentation is published and which
anyone is free to implement.  With  However, the presence of JavaScript programs
in web
pages, pages makes that criterion is necessary, but not sufficient. insufficient.  The JavaScript language
itself, as a format, is free, and use of JavaScript in a web site is
not necessarily bad.  However, as we've seen above, it also isn't
necessarily OK. can be bad—if
the JavaScript program is nonfree.  When the site transmits a program
to the user, it is
not enough for the program to be written in a documented and
unencumbered language; that program must be free, too.  “Only  “Transmits only free
programs transmitted to the user” must become part of the criterion
for proper behavior by an ethical web sites.</p> site.</p>

<p>Silently loading and running nonfree programs is one among several
issues raised by "web applications". “web applications.”  The term "web
application" “web
application” was designed to disregard the fundamental
distinction between software delivered to users and software running
on a server.  It can refer to a specialized client program running
in a browser; it can refer to specialized server software; it can
refer to a specialized client program that works hand in hand with
specialized server software.  The client and server sides raise
different ethical issues, even if they are so closely integrated that
they arguably form parts of a single program.  This article addresses
only the issue of the client-side software.  We are addressing the
server issue separately.</p>

<p>In practical terms, how can we deal with the problem of nontrivial nonfree
JavaScript programs in web sites?  The first step is to avoid running

<p>What do we mean by "nontrivial"? “nontrivial”?  It is a matter of
degree, so this is a matter of designing a simple criterion that gives
good results, rather than finding the one correct answer.</p>
Our tentative policy current criterion is to consider a JavaScript program nontrivial if:</p>
if any of these conditions is met:</p>

  <li>it makes an AJAX request or is loaded along with scripts that make referred to as an AJAX request,</li>

  <li>it loads external scripts dynamically script (from another page).</li>

  <li>it declares an array more than 50 elements long.</li>

  <li>it defines a named entity (function or is loaded along with
    scripts method) that do,</li> calls anything other
      than a primitive.</li>

  <li>it defines a named entity with more than three conditional
      constructs and loop construction.</li>

  <li>code outside of named definitions calls anything but primitives and
      functions or methods defined further up in the page.</li>

  <li>code outside of named definitions contains more than three
      conditional constructs and either loads an external script
    (from html) or is loaded as one,</li> loop construction, total.</li>

  <li>it calls <b>eval</b>.</li>

  <li>it does Ajax calls.</li>

  <li>it uses bracket notation for dynamic object property access,
which looks like <b><em>object</em>[<em>property</em>]</b>.</li>

  <li>it alters the DOM.</li>
  <li>it uses dynamic JavaScript constructs that are difficult to
    analyze without interpreting the program, or is loaded along with
    scripts that use such constructs.  These constructs are:
      <li>using the eval function,</li>
      <li>calling methods with the square bracket notation,</li>
      <li>using  Specifically, using any other
    construct than a string literal with certain methods (Obj.write, Obj.createElement, ...).</li>
    (<b>Obj.write</b>, <b>Obj.createElement</b>, and others).</li>

<p>How do we tell whether the JavaScript code is free?  In a <a 
href="/licenses/javascript-labels.html">separate article</a>,
we propose a method by which a nontrivial JavaScript
program in a web page can state the URL where its source code is
located, and can state its license too, using stylized comments.</p>

<p>Finally, we need to change free browsers to detect and block
nontrivial nonfree JavaScript in web pages.  The program
<a href="/software/librejs/">LibreJS</a> detects nonfree,
nontrivial JavaScript in pages you visit, and blocks it.  LibreJS is
included in IceCat, and available as an add-on for Firefox.</p>

<p>Browser users also need a convenient facility to specify JavaScript
code to use <em>instead</em> of the JavaScript in a certain page.
(The specified code might be total replacement, or a modified version
of the free JavaScript program in that page.)  Greasemonkey comes close
to being able to do this, but not quite, since it doesn't guarantee to
modify the JavaScript code in a page before that program starts to
execute.  Using a local proxy works, but is too inconvenient now to be
a real solution.  We need to construct a solution that is reliable and
convenient, as well as sites for sharing changes.  The GNU Project
would like to recommend sites which are dedicated to free changes

<p>These features will make it possible for a JavaScript program included
in a web page to be free in a real and practical sense.  JavaScript
will no longer be a particular obstacle to our freedom—no more than
C and Java are now.  We will be able to reject and even replace the
nonfree nontrivial JavaScript programs, just as we reject and replace
nonfree packages that are offered for installation in the usual way.
Our campaign for web sites to free their JavaScript can then begin.</p>

<p>In the mean time, there's one case where it is acceptable to run a
nonfree JavaScript program: to send a complaint to the website
operators saying they should free or remove the JavaScript code in the
site.  Please don't hesitate to enable JavaScript temporarily to do
that—but remember to disable it again afterwards.</p>

<!-- any links that used to point to the appendices should point to
     free-your-javascript.html instead.  -->


<div class="announcement">
<hr class="no-display" />
<p>Webmasters: there are
<a href="/software/librejs/free-your-javascript.html">several ways</a>
to indicate the license of JavaScript programs in a web site.</p>
<hr class="no-display" />

<p><strong>Acknowledgements:</strong> I thank <a href="/people/people.html#mattlee">Matt Lee</a>
and <a href="http://ejohn.org">John href="https://johnresig.com/">John Resig</a> for their help in
defining our proposed criterion, and David Parunakian for
bringing the problem to my attention.</p>

</div><!-- for id="content", starts in the include above -->
<!--#include virtual="/server/footer.html" -->
<div id="footer"> id="footer" role="contentinfo">
<div class="unprintable">

<p>Please send general FSF & GNU inquiries to
<a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>.
There are also <a href="/contact/">other ways to contact</a>
the FSF.  Broken links and other corrections or suggestions can be sent
to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.</p>

<p><!-- TRANSLATORS: Ignore the original text in this paragraph,
        replace it with the translation of these two:

        We work hard and do our best to provide accurate, good quality
        translations.  However, we are not exempt from imperfection.
        Please send your comments and general suggestions in this regard
        to <a href="mailto:web-translators@gnu.org">

        <p>For information on coordinating and submitting contributing translations of
        our web pages, see <a
        README</a>. -->
Please see the <a
README</a> for information on coordinating and submitting contributing translations
of this article.</p>

<!-- Regarding copyright, in general, standalone pages (as opposed to
     files generated as part of manuals) on the GNU web server should
     be under CC BY-ND 4.0.  Please do NOT change or remove this
     without talking with the webmasters or licensing team first.
     Please make sure the copyright date is consistent with the
     document.  For web pages, it is ok to list just the latest year the
     document was modified, or published.
     If you wish to list earlier years, that is ok too.
     Either "2001, 2002, 2003" or "2001-2003" are ok for specifying
     years, as long as each year in the range is in fact a copyrightable
     year, i.e., a year in which the document was published (including
     being publicly visible on the web or in a revision control system).
     There is more detail about copyright years in the GNU Maintainers
     Information document, www.gnu.org/prep/maintain. -->

<p>Copyright © 2009-2013, 2016, 2017, 2018 2016-2019, 2021 Richard Stallman</p>

<p>This page is licensed under a <a rel="license"
Commons Attribution-NoDerivatives 4.0 International License</a>.</p>

<!--#include virtual="/server/bottom-notes.html" -->

<p class="unprintable">Updated:
<!-- timestamp start -->
$Date: 2021/10/11 09:35:33 $
<!-- timestamp end -->
</div><!-- for class="inner", starts in the banner include -->