Stallman looks to fight JavaScript trap

Richard Stallman, president of the Free Software Foundation, is championing an effort to thwart the "JavaScript trap," in which users could unknowingly be running non-free programs in their browser.

In an article published on the GNU.org Web site this week, free software advocate Stallman says browsers run programs that are not free, and they are most often written in JavaScript. JavaScript once was used for minor frills in Web pages but it now is being used for major jobs, he said.

[ Related: An interview with JavaScript creator Brendan Eich. ]

"Most browsers have a way to turn off JavaScript entirely, but none of them can check for Javascript programs that are nontrivial and non-free. Even if you're aware of this issue, it would take you considerable trouble to identify and then block those programs," Stallman said. "However, even in the free software community, most users are not aware of this issue; the browsers' silence tends to conceal it."

JavaScript programs can be offered for free by distributing the source code under a free license, said Stallman. "But even if the program's source is available, there is no easy way to run your modified version instead of the original. Current free browsers do not offer a facility to run your own modified version instead of the one delivered in the page. The effect is comparable to tivoization, although not quite so hard to overcome," he said.

Tivoization is defined in wikipedia as a concept in which a system uses software offered under a "copyleft" license, which removes restrictions, but then uses hardware to prevent users from running modified versions. It came about as a result of an issue with Tivo digital recorders.

A movement has developed for Web sites to communicate only through free formats and protocols, Stallman said. He presented a plan to deal with non-free JavaScript programs in Web sites, in which practical criterion is sought for determining nontrivial JavaScript programs. A program is considered nontrivial if it defines methods and either loads an external script, is loaded as one, or makes an AJAX request, under Stallman's proposal.

Stallman also offered a convention by which nontrivial JavaScript programs in a Web page can state the URL where source is located and can state its license using stylized comments. Also, free browsers need to be changed to support "freedom" for users of pages with JavaScript.

"First of all, browsers should be able to tell the user about nontrivial non-free JavaScript programs rather than running them. Perhaps NoScript could be adapted to do this," Stallman said. NoScript blocks scripts form executing on non-trusted Web pages.

Stallman added browser users need a facility to specify JavaScript code to use instead of the JavaScript in a certain page.  A solution needs to be constructed that is reliable and convenient. Sites for sharing changes also are needed, he said. The GNU Project would like to recommend sites dedicated to free changes only, he said.

"These features will make it possible for a JavaScript program included in a Web page to be free in a real and practical sense. JavaScript will no longer be a particular obstacle to our freedom -- no more than C and Java are now. We will be able to reject and even replace the non-free nontrivial JavaScript programs, just as we reject and replace non-free packages that are offered for installation in the usual way. Our campaign for Web sites to free their Javascript can then begin," Stallman said.