GNU LibreJS for Firefox blocks non-free non-trivial JavaScript
GNU LibreJS is a browser extension for Firefox and Firefox-based browsers that is designed to block non-free non-trivial JavaScript by default.
Compared to NoScript, GNU LibreJS works similarly on first glance. One of the main differentiating factors is that NoScript blocks most JavaScript by default, while GNU LibreJS makes a distinction between non-free non-trivial JavaScript and free or trivial JavaScript.
GNU LibreJS is inspired by Richard Stallman's The JavaScript Trap essay. Stallman argues that browsers run non-free programs that are written mostly in JavaScript, but also in other languages. Many of these programs are proprietary or not open, and some of them are malicious or problematic.
Google Docs, according to Stallman, makes use of a JavaScript program that has a size of half a Megabyte. It is compacted, which makes it difficult to analyze and understand. JavaScript code that snoops on users is called malware by Stallman.
Stallman suggests to avoid running JavaScript that is considered not trivial or not free. A list of JavaScript code that matches the definition includes scripts loaded from external pages, that alter the DOM, or call eval. The full list is published on the GNU website.
GNU LibreJS makes these distinctions for the user when it is installed in Firefox and compatible browsers. It blocks all JavaScript that is considered not trivial, and allows JavaScript that it considers trivial.
The extension adds an icon to the browser's toolbar that highlights the number of blocked JavaScript references on the page. A click displays accepted and blocked JavaScript, and controls to change the status of the entire website or individual scripts or code. You can whitelist or blacklist an entire site, or individual code snippets or scripts. The extension remembers these across sessions.
Options to show the JavaScript code are provided, as is an option to forget all custom settings or individual custom settings.
Closing Words
The use of GNU LibreJS improves privacy and security while using the web browser the extension is installed in. Users should run into fewer compatibility issues with sites, as trivial JavaScript is allowed to run. It may still be necessary to adjust the allow and disallow lists and individual scripts regularly to get certain websites to work properly.
Now You: how do you handle JavaScript?
Great idea IN THEORY except for Stallman’s pignorance about licensing.
Nobody cares!
Break sites because your stupid extension
a) cares too much about licensing … arguably destroying the most trivial learning and innovation strength of the web: copy and paste!
b) if ( jQuery ) { BREAK_SITE = true } // FFS, Stallman by name, stall man by nature: blocks all innovation and progress with his puritanical OCD
Please, can someone fork this and get rid of the licensing obsession? Users deserve a means of blocking JS that is not a) dependant on someone’s arbitrary politics; b) global by default, requiring everyone to know that most legitimate JS functionality is served up by third party CDNs.
@pd,
> Please, can someone fork this and get rid of the licensing obsession?
This browser extension is part of the GNU Project.
GNU Project – Wikipedia
https://en.wikipedia.org/wiki/GNU_Project
GNU General Public License – Wikipedia
https://en.wikipedia.org/wiki/GNU_General_Public_License
The project is available in the Git repository and anyone can join as a contributor.
Why don’t you join the project instead of begging others to “Please, can someone fork…”?
LibreJS development happens in its Git repository.
librejs.git – LibreJS
https://git.savannah.gnu.org/cgit/librejs.git/
thought we know by now that free or not free is irrelevant when it comes to security. open sourced stuff can be poisoned.
just block everything.
> thought we know by now that free or not free is irrelevant when it comes to security. open sourced stuff can be poisoned.
just block everything.
You are misinterpreting the meaning.
Please check the official website of this browser extension and other sites first, neatly.
LibreJS – GNU Project – Free Software Foundation
https://www.gnu.org/software/librejs/
GNU LibreJS aims to address the JavaScript problem described in Richard Stallman’s article The JavaScript Trap. LibreJS is a free add-on for GNU IceCat and other Mozilla-based browsers. It blocks nonfree nontrivial JavaScript while allowing JavaScript that is free and/or trivial.
The JavaScript Trap – GNU Project – Free Software Foundation
https://www.gnu.org/philosophy/javascript-trap.html
“Block JavaScript (JS)” with NoScript, uMatrix, uBO, etc. However, it cannot check the specific details of those JavaScript (which are usually a combination of many JS) (again, user have to look them up again own self).
The advantage of this browser extension, GNU LibreJS, is that it does not just block JS, but allows you to see the details of “non-trivial JavaScript.
I currently block all JS by default using “uBO”.
By adding this extension, I will have “all of those JS explicitly and specifically listed” so I can better understand the actual situation (whether blocking is necessary or not).
It is not a matter of which one to choose (from uBO, etc.), but the usefulness (complementary function) of this extension to “know what kind of JS it is”.
Hi. When I tried to install GNU LibreJS a while ago I uninstalled it again. When after I uninstall some web pages like Wikipedia the font looks too small as usual (Zoom level is 100%) the font is not legible. I don’t know if it’s because of GNU LibreJS or not.
If you’re experiencing font display issues on certain websites, such as Wikipedia, after uninstalling GNU LibreJS, here are some steps you can take to address the problem:
1. Check Zoom Level:
Ensure that the zoom level is set to 100% on your browser. Sometimes, extensions or changes to browser settings can inadvertently affect the zoom level.
2. Clear Browser Cache:
Clear your browser’s cache to eliminate any potential conflicts or remnants from the extension. Cached files might be causing display issues.
3. Restart Browser:
After uninstalling an extension, it’s a good practice to restart your browser. This can help in applying changes and restoring default settings.
4. Browser Font Settings:
Check your browser’s font settings. Make sure that the default font size is set to a comfortable and legible level. In Firefox, you can find this in the browser settings under “Language and Appearance.”
5. Reset Firefox Settings (Optional):
If the issue persists, you might consider resetting Firefox to its default settings. This will revert the browser to its original state. Keep in mind that this will remove extensions and some custom settings, so use this option with caution.
6. Test in Private Browsing Mode:
Open a private browsing window and visit the problematic websites. Private mode uses default settings and no extensions. If the font appears normal in private mode, it could indicate an issue related to extensions.
7. Reinstall GNU LibreJS (Optional):
If you still suspect that GNU LibreJS might be related to the font issue, you could reinstall the extension and check if the problem persists. However, make sure to review the extension’s settings and customize them according to your preferences.
8. Contact GNU LibreJS Support:
If the problem persists and you believe it is directly related to GNU LibreJS, consider reaching out to the extension’s support channels. They might have insights into the issue and provide guidance on resolving it.
Remember to perform these steps one at a time, checking if the issue is resolved after each action. This way, you can identify the specific cause of the problem and apply the most appropriate solution.
By using this browser extension “GNU LibreJS” to use,
I am able to verify that the “nontrivial JavaScript” details.
Its capabilities remind me of uMatrix and eMatrix (Pale Moon extension), which I preferred to use in the past. Neither of these are used now (because I felt uBO was sufficient).
I measured the “resources” in the browser’s task manager (about:performance) and it stayed at 0 KB even while browsing.
This is awesome!
If it doesn’t demand system resources and doesn’t cause conflicts, I found it useful to easily, individually nontrivial JavaScript and to control them (Whitelist, Blacklist).
> I measured the “resources” in the browser’s task manager (about:performance) and it stayed at 0 KB even while browsing.
I was misunderstanding about the Name of the extension.
GNU LibreJS: 81 KB.
I’m happy with NoScript, but I recognize it’s not for everyone, and don’t recommend it to non-geek clients. It’s a bitch to get used to, but I’ve been using it for more than a decade, so my very long “per-site permission” list (which I review and cull periodically) ensures it’s not nearly as intrusive as it was at the start.
I also use UBO and CanvasBlocker, and have FF settings locked down pretty tight.
Five one-star and two-star rating out of 43 users.
That makes no difference to me.
I think that I shall give this one a pass for now. It has only 43 users!
I tend to check the number of users before I install an extension.
The one with the most users usually gets the nod from me.
(If there are other alternatives, naturally. Otherwise I don’t install anything in that category.) At the moment I use UBO to disable JS.
Why would you use JS if you don’t want to change the DOM? By considering DOM changes as non-trivial this seems to penalize the most valid reason to use JS in the first place.
When I encounter a webpage displaying/running incorrectly I have to check,
1- uBlock Origin : I have set default permissions to lowest and must allow or not 1st-party scripts, 3rd-party scripts, 3rd-party frames, sometimes block inline scripts …
2- CleanLinks : I have to check what is blocked if applicable.
3- CanvasBlocker : I have to check if a site wouldn’t require in particular Canvas itself (very seldom).
4- Referer Modifier : I’ve set Default for any domain = target and for same domain = prune. Some domains accept neither (require “keep”).
5- WebAssembly and WebGL : both disabled by default, but two home-made buttons to toggle if really required.
That’s about it, but enough to have not added the ‘NoScript’ extension in older days.
I’ve just tried this ‘LibreJS’ extension :
I had to whitelist [geoportail.gouv.fr] (or go through scripts 1 by one) : the domain is trustworthy as far as I know.
I tested some Wikipedia pages : several scripts blocked yet the page displayed correctly apart from the ‘Contents’ open/close drop-down menu (opened) : either whitelist Wikipedia or those of its blocked scripts pertaining to the ‘Contents’ menu …
I just don’t have the time.
Speaking to myself : “You don’t have the time for security or are you plain lazy”
Answering to my alter ego : “Security-lazy, me, with all that I handle already for security and privacy?”
Alter replied ; “Well then why not add ‘LibreJS’ as extra security?”
I smatched with a : “Because I consider (though may be wrong) that all that I’ve set is enough to handle quite an array of security and privacy intrusions. What do you say about that?”
Alter sighed. We remain on good terms but i think he’s disappointed.
> 5- WebAssembly and WebGL : both disabled by default, but two home-made buttons to toggle if really required.
Please share these on pastebin.
Sorry I see this disables the sandbox. Politely passing.
@Tom:
Interested to know which websites you’ve encountered that actually require WebAssembly and/or WebGL to work, if you don’t mind sharing.
@ShintoPlasm, these are those I’ve experienced, but I don’t surf as I used to twenty years ago. I’m getting anchored to fewer sites so there’s undoubtedly many more :
WebAssembly :
[https://privatebin.net/]
[https://paste.i2pd.xyz/]
[https://sqliteonline.com/]
[https://stellarium-web.org/]
WebGL :
[https://www.instantstreetview.com/] : makes it without, makes it far better with.
[https://www.google.com/maps/] : makes it without, makes it far better with.
[https://histography.io/] : won’t run without.
[http://radio.garden/] : won’t run without.
Concerning Google Maps I guess any site running actively an embedded Google Maps will run that embed far better with WebGL enabled. Personally I block embedded Google Maps (btw many sites now prefer embedded OpenStreetMap) and open Google Maps very seldom, less and less, mainly for Google Street View because I just love moving around almost as if i were there :=)
Far from being exhaustive, certainly. I don’t want WebAssembly nor WebGL to be enabled by default so the two toolbar buttons I’ve created (userChromeJS scripts in fact) simply allow to toggle “javascript.options.wasm” (true/false)and “webgl.disabled” (false/true) when visiting sites requiring either. I’ve associated an animated png (apng) to activate when the setting is true for the former, false for the latter, in order to be aware to disable when exiting the site. Unfortunately I don’t know how to build an extension that would allow to remember site specifically.
@Tom Hawack
>…so the two toolbar buttons I’ve created (userChromeJS scripts in fact)
Nice idea these buttons, do you happen to know any clear and easy tutorial for those who want to learn how to make some simple userChromeJS scripts? To enable/disable some parameters I use this script by adding the related entries:
https://github.com/garywill/aboutconfig-menu –>
{
name: “WebGL Disabled”,
type: prefs.PREF_BOOL,
pref: “webgl.disabled”,
possibleVals: [
{ name: “False” , val: false },
{ name: “True” , val: true },
]
},
Indeed it might be useful to make a feature request to the developer who already had an excellent idea to change the colors of the items in the menu when they have a changed value.
@Shiva,
Sorry for the above double comment. Because of a mistake of mine which postponed the display of my comment I repeated the comment rather than waiting for it to appear later on… sometimes I forget even after so many years posting here.
Concerning userChromeJS : I think the best way to understand how to implement it (in Firefox anyway) is to consider xiaoxiaoflood’s dedicated GitHub repo : [https://github.com/xiaoxiaoflood/firefox-scripts]
It’s really easy to install. The repo includes various userChrome scripts as well and others are available on various pages, mainly for what I know on GitHub pages : the best is to search GitHub for ‘UserChromeJS’ ..
It’s fairly easy to modify available userChromeJS scripts to adapt them for our own needs. That’s what I do.
For instance, the two toolbar buttons userChromeJS buttons mentioned above are simply scripts I modified to deal with toggling WebAssembly and WebGL about:config prefs. Hereafter for whome may be curious/interested :
Toggle-WebAssembly.uc.js :
[https://paste.i2pd.xyz/?425957642405131c#jLkwKzUZFPpmXx6N7KxyVWtQhAPAkJx2n6YDhXv3nVh]
Toggle-WebGL.uc.js :
[https://paste.i2pd.xyz/?4d267d489b544317#DxkdhKSVs7CL84Sr7rMRkKpxT4KXvQ9GzcZAHC2NHiDy]
*Note : these pages require WebAssembly, lol!
Really worth it. You can perform so much with this.
@Tom Hawack,
Ah! Ah! Ah! You did a good job to remind yourself not to have some preferences enabled! :-) Thanks, I have saved a button as template, it will be useful to me. I will certainly use the animated png as well. https://sourceforge.net/u/maxst/profile/
Currently as sources I have already bookmarked Alice0775, Aminomancer, Aris-t2, Garywill and Xiaoxiaoflood. The truth is that I can’t make heads or tails this time, so for once I am not being lazy and would like to try to learn from scratch.
@Shiva, I share some of the sources you mention : Alice0775, Aris-t2 and of course Xiaoxiaoflood
I discover Aminomancer and Garywill
I have four others :
ardiman [https://github.com/ardiman/userChrome.js]
duponyjoy [https://github.com/dupontjoy/userChrome.js-Collections-]
Endor8 [https://github.com/Endor8/userChrome.js/]
harv [https://github.com/harv/userChromeJS/]
Funny anecdote : a developer had declared (and hasn’t updated!) : “userChrome.js – obsolete in Firefox 72” [https://luke-baker.github.io/] which has proven to be wrong, right?!
About Animated PNGs : personally I build mine at [https://ezgif.com/apng-maker] : builds and edits as well, nice for deconstructing a given apng.
I just love these constructive dialogs, exchanges :)
As an All-In-One-Sidebar orphan, I recommend ‘Sidebar Switch’ by Garywill. I can’t tell you the times I unnecessarily moved the mouse to the left side by clicking to open the sidebar until this script.
>I just love these constructive dialogs
Ah! I took a look at the repositories I didn’t know about, now there is still some room to stay lazy with trials and error! And I gained a button.
@Shiva, as I review our comments I realize that I may have misunderstood your question when you wrote above “[…] do you happen to know any clear and easy tutorial for those who want to learn how to make some simple userChromeJS scripts?”
You were as it seems searching on how to build userChromJS scripts, not how to implement userChromeJS.
Anyway, it may have helped others. Your aim as I understand it now is to find a tutorial on how to build a userChromeJS script, you’d like to build them by yourself as it seems. For that I have no answer unfortunately. But as always, adapting, converting, trial & error are excellent teachers I guess, even if may take more time.
I had a look at [https://garywill.github.io/#Firefox-userChrome-CSS-or-JS]. Indeed interesting stuff. Bookmarked!
@ShintoPlasm, these are those I’ve experienced, but I don’t surf as I used to twenty years ago. I’m getting anchored to fewer sites so there’s undoubtedly many more :
WebAssembly :
[https://privatebin.net/]
[https://paste.i2pd.xyz/]
[https://sqliteonline.com/]
https://stellarium-web.org/%5D
WebGL :
[https://www.instantstreetview.com/] : makes it without, makes it far better with.
[https://www.google.com/maps/] : makes it without, makes it far better with.
[https://histography.io/] : won’t run without.
[http://radio.garden/] : won’t run without.
Concerning Google Maps I guess any site running actively an embedded Google Maps will run that embed far better with WebGL enabled. Personally I block embedded Google Maps (btw many sites now prefer embedded OpenStreetMap) and open Google Maps very seldom, less and less, mainly for Google Street View because I just love moving around almost as if i were there :=)
Far from being exhaustive, certainly. I don’t want WebAssembly nor WebGL to be enabled by default so the two toolbar buttons I’ve created (userChromeJS scripts in fact) simply allow to toggle “javascript.options.wasm” (true/false)and “webgl.disabled” (false/true) when visiting sites requiring either. I’ve associated an animated png (apng) to activate when the setting is true for the former, false for the latter, in order to be aware to disable when exiting the site. Unfortunately I don’t know how to build an extension that would allow to remember site specifically.
EDIT : the last item in the list noted as requiring WebAssembly is of course [https://stellarium-web.org/]
I had forgotten the first bracket. CopyPaste and I have always had a problamatic relationship but I’m the only to blame, lol.
@Tom –
>”1- uBlock Origin : I have set default permissions to lowest and must allow or not 1st-party scripts, 3rd-party scripts, 3rd-party frames, sometimes block inline scripts …”
Yes, this is the way I prefer to handle js, with uBlock origin in advanced mode, or better yet with the remarkable ?Matrix extension on Pale Moon. On Brave, I use noscript or uBlock Origin. The nice thing about uBlock and ?Matrix is that they both also block ads and trackers. One stop shopping for all my blocking needs.
I spend most of my browsing time with the links2 terminal browser which isn’t able to run any javascript, so there’s nothing more javascript-wise to think about with that browser.
@Andy Prough, not to mention handles as well some features requiring other extensions… uMatrix s no longer maintained by Raymond Hill (developer of uBO for those who wouldn’t know), yet perhaps remains sufficiently valid over time. I hadn’t even tried it then because I assumed it’d be over my capacities together with the fact that I considered that uBO together with a few other extensions would make it sufficiently for my ‘eXperience’ …
I think some other developer is maintaining uMatrix in his own way, not sure.
@Andy, what do you think of the ‘NoScript’ and this ‘LibreJS’ extensions?
@Tom
I meant to say “eMatrix” (or the Greek letter ‘e’), it’s a new Pale Moon extension that has brought the old uMatrix back to life. It’s actually not any more complicated than uBlock in advanced mode – in fact it’s a bit easier in a lot of ways. Just takes some getting used to.
I’ve been a noscript user on-and-off since the mid-2000’s when it was fairly new. I’m very used to it and very comfortable with it, and I think that its defaults keep the user very safe. I prefer uBlock or eMatrix because they add in the ad-blocking and tracker blocking, but for a browser like Brave with built-in ad-blocking, all I really need to add is noscript.
I’ve used LibreJS at various times, mainly because I’ve used the GNU IceCat version of Firefox, which normally comes with LibreJS. I think it’s similar to noscript in that in its default state it will keep you pretty safe, but once again I prefer uBlock or eMatrix with the ad-blocking and tracker blocking. I prefer noscript over LibreJS because I’m more used to noscript, but either of them will allow things to be whitelisted, so for my purposes they have a lot in common.
@Andy Prough, [epsilon]matrix, OK :) But only for Pale Moon, anyway as you use it.
Thanks for your reviews of NoScript and LibreJS. You’ve experienced both which is what I was hoping for before wishing to know your feelings about both were, are.
You mentioned in your first comment the links2 terminal browser. That’s an environment I have no idea of. I guess you’re really a techie :) Always interesting and beneficial nevertheless to discover world somewhere over the rainbow (one fifth techie, one fifth poet and three fifths dreamer here!).- Thanks.
@Andy, that was rather [eta]matrix [https://en.m.wikipedia.org/wiki/Eta] and of course not epsilon (nor upsilon!).
I forgot ‘LocalCDN’ when some sites (few) require being added to the ‘Apply HTML filter for these domains:’
I also forgot that some sites (very few) require the user-agent to be set to ‘Chrome’ and even fewer won’t open because they’ve set their GDPR consent in such a way that the only work-around is to set for them user-agent = Google Bot or Microsoft Bot (i.e [slate.fr])
When the goin’ gets tough the tough get goin’ … hard for a farniente-driven guy as myself. Sometimes I wonder if Web life wouldn’t be worth keeping all defaults (OS and browser), no privacy not security tweaks, a Coconut Margarita in a hammock with blue ocean and sky. And the lady. You get the idea.
I was using noscript for several years before I realized I had too much time to spend configuring each new page. too many problems and few advantages. I don’t use anything to block js, and I’m happier.
“GNU LibreJS for Firefox provides a commendable solution for users seeking enhanced control over JavaScript execution on their web browsers. Inspired by Richard Stallman’s thought-provoking essay on The JavaScript Trap, this extension takes a nuanced approach by distinguishing between non-free non-trivial JavaScript and its free or trivial counterparts.
In a landscape where privacy and security are paramount concerns, GNU LibreJS empowers users by blocking potentially problematic JavaScript, as identified by criteria such as scripts loaded from external pages, DOM-altering scripts, or those utilizing eval. The extension’s user-friendly interface, featuring an informative toolbar icon and customizable controls, allows users to easily manage and whitelist trusted scripts or blacklist undesirable ones.
By highlighting the number of blocked JavaScript references on a page and offering detailed options to manage individual scripts or entire websites, GNU LibreJS strikes a balance between heightened security and user flexibility. The extension’s commitment to preserving user preferences across sessions adds a layer of convenience.
In a world where the web is heavily reliant on JavaScript, GNU LibreJS stands as a practical tool for those who prioritize privacy without sacrificing functionality. While some adjustments may be necessary for optimal compatibility with certain websites, the overall benefits in terms of privacy and security make this extension a valuable addition to the Firefox ecosystem.”
noscript is indeed painful to configure due to it’s ancient interface, but with uMatrix you can do everything in a few clicks. It”s also capable of blocking way more than just JS.
uMatrix is discontinued. Most or even all of its functionality is available in uBlock Origin (from the same author) when you activate the “advanced mode” there. So use that instead.
That’s just painful to imagine. To tweak every single page, I’d go nuts in the first 30 seconds.
I remember way back before Chrome even existed, me and a friend had a discourse which was better – Firefox or Opera. Back then there was no Chrome, so obviously I liked and used Firefox, it had add-ons, especially the ones that blocked ads, but opera did not. It had some useless widgets like Clock or Calculator or Calendar, and it could only block ads if you right-click each ad on each web page and manually block it.
Our argument ended when I told him that Firefox can block ads instantly and automatically compared to Opera requiring each ad to be manually blocked.
That’s just a pain in the neck.