X
Tap here to go to the mobile version of the site.

Support Forum

Feature Request: Javascript libraries of which the versions are in better control

Posted

This essentially aimed at the developpers:

Anyone who browsed with noscript, or used ghostery, knows the web is full of javascript. These are often downloaded from separate websites.(for no apparent reason, they can easily be hosted locally) This is a bad thing:

  • Accessing these gives the the http-referrer(presumably) so it indicates someone where you are browsing.(though other resources do this too)
  • Javascript is nowhere as secure as html in terms of potential weaknesses.
  • Javascript is -plainly- designed to have access to the web page, or the current url.
  • These are often accessed via http, it could be spoofed to return a different
  • The servers it came from can outright change it at any point, and the user has little control, even if the javascript source code unobfuscated, there is no time to do so as it is in the hands of the users immediately.

For this reason i suggest implementing a library(package system) for these javascripts, of which the packages are signed, and the user controls when they are updated. It should be easy to use and add these libraries for developpers, preferably, additional people can attest they read the source code and approve of it.

Well, to be honest, i cannot really suggest entirely how to do it, i just dont know enough. And it has to be entirely transparent to users, at least. Some kind system that detects that people have checked the source code, and/or a default time duration.(depending on the package)

Of course this has to be coordinated with other browsers/standards creation. This sounds hard and it seems like you're already doing a really good job at it.(And at developping FF in general)

This essentially aimed at the developpers: Anyone who browsed with noscript, or used ghostery, knows the web is full of javascript. These are often downloaded from separate websites.(for no apparent reason, they can easily be hosted locally) This is a bad thing: * Accessing these gives the the http-referrer(presumably) so it indicates someone where you are browsing.(though other resources do this too) * Javascript is nowhere as secure as html in terms of potential weaknesses. * Javascript is -plainly- designed to have access to the web page, or the current url. * These are often accessed via http, it could be spoofed to return a different * The servers it came from can outright change it at any point, and the user has little control, even if the javascript source code unobfuscated, there is no time to do so as it is in the hands of the users immediately. For this reason i suggest implementing a library(package system) for these javascripts, of which the packages are signed, and the user controls when they are updated. It should be easy to use and add these libraries for developpers, preferably, additional people can attest they read the source code and approve of it. Well, to be honest, i cannot really suggest entirely how to do it, i just dont know enough. And it has to be entirely transparent to users, at least. Some kind system that detects that people have checked the source code, and/or a default time duration.(depending on the package) Of course this has to be coordinated with other browsers/standards creation. This sounds hard and it seems like you're already doing a really good job at it.(And at developping FF in general)

Additional System Details

Installed Plug-ins

  • This plug-in detects the presence of iTunes when opening iTunes Store URLs in a web page with Firefox.
  • Shockwave Flash 10.1 r999.Gnash 0.8.10, the GNU SWF Player. Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. Gnash comes with NO WARRANTY, to the extent permitted by law. You may redistribute copies of Gnash under the terms of the GNU General Public License. For more information about Gnash, see http://www.gnu.org/software/gnash. Compatible Shockwave Flash 10.1 r999.
  • Shockwave Flash 11.2 r202

Application

  • User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0

More Information

jscher2000
  • Top 10 Contributor
3976 solutions 34724 answers

Helpful Reply

Hi Jasper, to give a specific example, if Firefox were to find a site using a particular version of jQuery then it would instead use a pre-validated copy of that library from a trusted site or from the Firefox program folder?

I think this would be a complex project, but perhaps an extension developer would consider building it, at least to demonstrate how it could be done?

This forum is like an emergency room so your suggest may get lost here. You can submit a version to the Input site (Help > Submit Feedback connects you) or on a Mozilla mailing list. Not sure which one would be right for this idea, but you could take a look here: https://lists.mozilla.org/.

Hi Jasper, to give a specific example, if Firefox were to find a site using a particular version of jQuery then it would instead use a pre-validated copy of that library from a trusted site or from the Firefox program folder? I think this would be a complex project, but perhaps an extension developer would consider building it, at least to demonstrate how it could be done? This forum is like an emergency room so your suggest may get lost here. You can submit a version to the Input site (Help > Submit Feedback connects you) or on a Mozilla mailing list. Not sure which one would be right for this idea, but you could take a look here: [https://lists.mozilla.org/].

Question owner

Nearly exactly what i mean. However, that interaction with the website developpers is somewhat hostile? I mean you go about searching for known javascript libraries, and replacing them with local ones, basically trying to combine the website and users intent. If website owners get annoyed, they might try renaming stuff, slightly altering..

On the other hand, if it is provided as a way to get the libraries, website developpers choose it for you. Of course guarantees, for instance having some sort LTS versions or some such could help attract usage.

And of course, you can also do both trying to detect and luring in usage.

Thanks for the quick response, i'll see if i can pass this on to the right place on the list if that is alright for you.(probably tommorrow)

Nearly exactly what i mean. However, that interaction with the website developpers is somewhat hostile? I mean you go about searching for known javascript libraries, and replacing them with local ones, basically trying to combine the website and users intent. If website owners get annoyed, they might try renaming stuff, slightly altering.. On the other hand, if it is provided as a way to get the libraries, website developpers choose it for you. Of course guarantees, for instance having some sort LTS versions or some such could help attract usage. And of course, you can also do both trying to detect and luring in usage. Thanks for the quick response, i'll see if i can pass this on to the right place on the list if that is alright for you.(probably tommorrow)

Question owner

Sent basically what i wrote here to https://groups.google.com/forum/#!forum/mozilla.dev.webapi hasnt appeared there yet. Title is "Javascript libraries; give users more control by making user-controlled repositories" (probably will be to lazy to put specific link here)

Sent basically what i wrote here to https://groups.google.com/forum/#!forum/mozilla.dev.webapi hasnt appeared there yet. Title is "Javascript libraries; give users more control by making user-controlled repositories" (probably will be to lazy to put specific link here)