You mean the LibreJS addon?
https://www.gnu.org/software/librejs/
It can block scripts, but the interface is pretty strange and being a modern FSF program it cares more about licenses than security.
Next step, eliminate browser support for all non-free JavaScript. Until then, IceCat under Linux is the only truly secure GUI based option.
Edit: Actually, while not a permanent solution, you can add the LibreJS plugin to any Mozilla browser that supports plugins (i.e. Firefox). In Firefox, just search for LibreJS under Add-ons.
It often is. LibreJS' method of detecting FOSS Javascript code involves either 1) checking a predefined list of Javascript libraries or 2) checking for some license-related metadata in the page (either as HTML or as Javascript). If neither of these are true for Mediawiki (Wikipedia's wiki server implementation), then it very likely won't be detected as "free" by LibreJS.
> While true, that one kinda always bothers me The premise is, you should be able to choose what instructions do and do not get executed on your machine, but in absence of freedomly licensed code, shouldn't a sandbox provide that feature?
I feel the same way, otherwise you'd need to use something like LibreJS or turn JavaScript off completely.
> I might need to do more reading or emailing about to get an answer to that though
If you haven't already read https://www.gnu.org/philosophy/javascript-trap.html then that is probably a good place to start.
There's specifically the Affero GPL for server side if you require FOSS. The problem I always come back to, though, is how do you verify what's actually deployed vs. what they're providing with the license.
With regards to the JS blobs, see LibreJS. I don't think generated HTML is considered an issue since it's just markup and not a programming language.
If FOSS doesn't have moral implications for you, it probably matters a lot less, and there's nothing wrong with that. I don't personally mind nor care, but there are people that do.
I'm sure that there are very good free-as-in-freedom frameworks to make a responsive site (trust me, I use them at work all the time), the only detail that deters the FSF from using it is the fact that many free software advocates disable JavaScript in their browsers. Why? Because said scripts are more often than not non-free software, or else are not correctly labeled - their project to detect properly labeled free-as-in-freedom JavaScript is used by very few sites, most of them from the FSF itself.
I don't trust sites when they use third party javascript code from corps such as Facebook, google, etc.
If the site is loading javascript from the same domain I generally run it.
For real trust javascript should be not obfuscated and published as Free Software. A nice thing to do is to make your code LibreJS friendly.
LibreJS might be a good place to start, as it's already a framework for attempting to analyse JS for integrity. Adding hash-checking to this and maintaining a trustworthy third-party whitelist would go a long way to preventing malicious JS injection.
I think you could find this useful https://www.gnu.org/software/librejs/ although I've never used myself. I like that in umatrix you allow scripts only for a specific domain (noscript rules are global instead) so I have to allow google domains only if a site doesn't work at all without them and if I often use that site the extension remember my preference without interfering with other domains, also you could block cookies or spoof the referrer string from the http request (noscript however has more features so you should use both with noscript in blacklist mode). I really like your idea of caching the scripts or using a safe mirror for them, if the hosted code is opensource this should be feasible
LibreJS, It's better than something like noscript because it allows trivial javascript code, making some sites work better than blocking all javascript, while still respecting your privacy.
https://www.gnu.org/software/librejs/manual/librejs.html#How-to-Use
OK, I guess it's not a implementation but it's kind of doing the same thing. It is blocking loading JS from external scripts or via AJAX, etc. which is going to basically break everything. The name makes it sound like a Javascript engine since LibreSSL is an SSL implementation.
I didn't know that, I loved gmail's pure html experience, will have to suffer, but being LibreJS compliant means doesn't mean not using JS at all, but using JS scripts that are released under free software license. https://www.gnu.org/software/librejs/free-your-javascript.html
Seriously. There's a bunch of reading available, but all they do is describe a "solution". Luckily, for everyone except Stallman, there is no problem.
Mozilla's JavaScript engine "SpiderMonkey" is under MPL2: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
MPL2 is a GPL compatible free software license according to GNU: https://www.gnu.org/licenses/license-list.en.html#MPL-2.0
Some Javascript isn't free, but some is considered too trivial to even be labeled as free/nonfree, and some is actually free: https://www.gnu.org/software/librejs/free-your-javascript.html
That's like saying that all machine code is open source because you can decompile it back to C++. Obfuscated Javascript, written with no comments, indentation, newlines or readable variable names is not open source, even with "Prettify" feature of modern web browsers. There's a reason browser addons like LibreJS exist.
It's not quite what you're asking for, but you might want to look at GNU LibreJS, an extension that whitelists scripts based on if the javascript is FOSS-licensed or not. Reddit is unfortunately not FOSS anymore so it does indeed get its javascript disabled by default. Though the old frontend at old.reddit.com mostly works fine without javascript.
i know its a long shot with the way the current web is but is it possible to use a survey site which either does not use javascript or uses only free javascript? the former option being my ideal, the latter probably being more practical. im not sure if there are even any out there but if there are i would assume more than just me would be appreciative of it being used.
im not sure why this website needs javascript at all, at least for the input and results pages - everything that i can see that it does can be done just fine with pure serverside code and html/css - but either way it imports a bunch of javascript which is nonlicensed or obfuscated and thus gets blocked by the gnu librejs extension
this isnt a huge deal and im not a freesoftware purist or anything (i game, am using reddit which uses nonfree js, and i enabled js to do your survey) but the web is always better with less javascript and im sure there are people here which are more strict about this stuff than i am and would appreciate a site which uses free js, or even better no js at all. just a polite request/something to think about
tl;dr: war on javascript
To understand the issue, it's important to understand the free software ideology and how it's related to more widely known open source. The main idea is that the user will only run JavaScript that's licensed under a free software license. This includes many widely used open source libraries. To accomplish this, the source code should include a machine readable license.
So the issue is not about accessing source code but allowing the user to decide what code to run on their computer.
All of the scripts are relative links, served from, the same site. You can also use LibreJS: https://www.gnu.org/software/librejs/
Enigmail is a plugin for thunderbird/firefox. You should always do your own encryption.
I really like Privacy Badger! FREE as in freedom AND gratis. In addition to this extention ~~FOSS~~ FSF also made LibreJS what does about the same as NoScript but it allows the free and common js. This enables you to still being able to enjoy the web.
FOSS for the Win!
https://www.gnu.org/software/librejs/
Read the The JavaScript Trap and follow the project librejs
Also check the GNU Affero General Public License