Feature Request: Javascript libraries of which the versions are in better control
This essentially aimed at the developpers:
Anyone who browsed with noscript, or used ghostery, knows the web is full of javascript. These are often downloaded from separate websites.(for no apparent reason, they can easily be hosted locally) This is a bad thing:
- Accessing these gives the the http-referrer(presumably) so it indicates someone where you are browsing.(though other resources do this too)
- Javascript is nowhere as secure as html in terms of potential weaknesses.
- Javascript is -plainly- designed to have access to the web page, or the current url.
- These are often accessed via http, it could be spoofed to return a different
- The servers it came from can outright change it at any point, and the user has little control, even if the javascript source code unobfuscated, there is no time to do so as it is in the hands of the users immediately.
For this reason i suggest implementing a library(package system) for these javascripts, of which the packages are signed, and the user controls when they are updated. It should be easy to use and add these libraries for developpers, preferably, additional people can attest they read the source code and approve of it.
Well, to be honest, i cannot really suggest entirely how to do it, i just dont know enough. And it has to be entirely transparent to users, at least. Some kind system that detects that people have checked the source code, and/or a default time duration.(depending on the package)
Of course this has to be coordinated with other browsers/standards creation. This sounds hard and it seems like you're already doing a really good job at it.(And at developping FF in general)
All Replies (3)
Hi Jasper, to give a specific example, if Firefox were to find a site using a particular version of jQuery then it would instead use a pre-validated copy of that library from a trusted site or from the Firefox program folder?
I think this would be a complex project, but perhaps an extension developer would consider building it, at least to demonstrate how it could be done?
This forum is like an emergency room so your suggest may get lost here. You can submit a version to the Input site (Help > Submit Feedback connects you) or on a Mozilla mailing list. Not sure which one would be right for this idea, but you could take a look here: https://lists.mozilla.org/.
Nearly exactly what i mean. However, that interaction with the website developpers is somewhat hostile? I mean you go about searching for known javascript libraries, and replacing them with local ones, basically trying to combine the website and users intent. If website owners get annoyed, they might try renaming stuff, slightly altering..
On the other hand, if it is provided as a way to get the libraries, website developpers choose it for you. Of course guarantees, for instance having some sort LTS versions or some such could help attract usage.
And of course, you can also do both trying to detect and luring in usage.
Thanks for the quick response, i'll see if i can pass this on to the right place on the list if that is alright for you.(probably tommorrow)
Sent basically what i wrote here to https://groups.google.com/forum/#!forum/mozilla.dev.webapi hasnt appeared there yet. Title is "Javascript libraries; give users more control by making user-controlled repositories" (probably will be to lazy to put specific link here)