I am a long-time NoScript extension (https://noscript.net/) user. For those who don’t know this automatically blocks any javascript and let you accept them (temporarily or permanently) based on the scripts’ origin domain.
NoScript as some quality-of-life option like ‘accepting script from current page’s domain by default’ so only 3rd parties would be blocked (usefull in mobile where it is tedious to go to the menu).
When I saw LibreJS (https://www.gnu.org/software/librejs/) I though that would be a better version of NoScript but it is quiet different in usage and cares about license and not open-source code (maybe it can’t).
Am I the only one who thought about checking for open-source JS scripts filtering (at least by default)? This would require reproducibility of ‘compilation’/packaging. I think with lock files (npm, yarn, etc) this could be doable and we could have some automatic checks for code.
Maybe the trust system for who checks could be a problem. I wanted to discuss this matter for a while.
Publishing lock files of running services would be a big security risk for the service owner as it gives an easily parsable way for an attacker to check if your bundle includes any package versions with vulnerabilities.
You then also have tools like snyk used by many big organisations which has the ability to patch dependencies before the actual dependency published the patch themselves. This would lead to a version not corresponding with the bundled code.
In fact given bundling is pretty ubiquitous, but infinitely configurable at this point, even validating the integrity of the bundle Vs the versions in a lock file is a problem that will be hard to achieve. It’s kinda like wanting to untoast bread.
Also given many JS projects have a lock file which describes both the deficiencies of the front end bundle, server & build tooling, there is a risk of leaking information about that too (it’s best practice to make as little as possible about your server configuration publicly viewable)
IMO, the solution to this problem today is to use a modern, updated browser that sandboxes execution, run a adblocker with appropriate trusted blocklists for what you’re avoiding, try to only use sites you trust & if you can, push web developers to use CSP & SRI to prevent malicious actors from injecting code into their sites without them knowing. Many sites already take advantage of these features, so if you trust the owner, you should be able to trust the code running on the page. If you don’t trust the owner with client side JS, you probably shouldn’t trust them with whatever they’re running on the server side too.
I believe you missed the point, I am not in defense of Security through obscurity (https://en.wikipedia.org/wiki/Security_through_obscurity), quiet the opposite.
The point: “[…] risk for the service owner as it gives an easily parsable way for an attacker to check […]” is well known and not the discussion here. You can choose close source for ‘security’ this is opensource community so I am wondering about such a tool.
Maybe I have missed your point, but based on how I’ve understood what you’ve described I think you may have also missed mine, I was more pointing out how the practicalities prevent such a tool from being possible from a few perspectives. I lead with security just because that would be the deal breaker for many service owners, it’s simply infosec best practice to not leak the information such a tool would require.
Your filtering idea would require cooperation from those service owners to change what they’re currently doing, right?
Perhaps I’ve completely got the wrong end of the stick with what you’re suggesting though, happy to be corrected
Thanks for your answer.
First I don’t even grasp what a “service owner” is.
Second, for JS front-end openness there are already a bunch of app (web, android) that are open-source and secured. Everything has dependencies nowadays, this doesn’t prevent good security. Think all the python app and their dependencies, rust, android… even c\c++ packages are built with dependencies and security updates are necessary (bash had security issues).
I think with JS scripts it’s actually even easier to have good security because the app is ran in our web browser so the only possible attacker is the website we are visiting itself. If they are malicious then the close-sourced JS script is even worse. Unless you count 3rd party scripts embedded that bad dev uses in their website without even thinking about trusting them. That is also awful in both open or close source environment.
So even having imperfect security (which happens regardless to openness), who is the attacker here? I would rather run js script on my end if the code can be checked.
When one asks if something is free software (a.k.a. FOSS) the concern isn’t so much trust but rather can one view, modify, and share the program. Sandboxes solve a different problem.
In the case of a javascript bundle, in order for a user to exercise the Four Freedoms they must at minimum be provided with corresponding source code for each component in the bundle, and preferably some way in the browser for the user to inspect and modify it. In other words, it must be treated like any other compiled binary program. A lock file with specific versions probably isn’t necessary (and server configuration and source code definitely isn’t).
You are right in that this would require cooperation from the service provider to provide this metadata, and most definitely would not do this. Therefore, such an extension as OP suggests would have the effect of blocking the vast majority of javascript on the web today. LibreJS tries to some extent but I don’t know how well it can handle bundled javascript files.
