GNU LibreJS for Firefox blocks non-free non-trivial JavaScript

Martin Brinkmann
Sep 7, 2022
Firefox add-ons
|
34

GNU LibreJS is a browser extension for Firefox and Firefox-based browsers that is designed to block non-free non-trivial JavaScript by default.

Compared to NoScript,  GNU LibreJS works similarly on first glance. One of the main differentiating factors is that NoScript blocks most JavaScript by default, while GNU LibreJS makes a distinction between non-free non-trivial JavaScript and free or trivial JavaScript.

librejs

GNU LibreJS is inspired by Richard Stallman's The JavaScript Trap essay. Stallman argues that browsers run non-free programs that are written mostly in JavaScript, but also in other languages.  Many of these programs are proprietary or not open, and some of them are malicious or problematic.

ADVERTISEMENT

Google Docs, according to Stallman, makes use of a JavaScript program that has a size of half a Megabyte. It is compacted, which makes it difficult to analyze and understand. JavaScript code that snoops on users is called malware by Stallman.

Stallman suggests to avoid running JavaScript that is considered not trivial or not free. A list of JavaScript code that matches the definition includes scripts loaded from external pages, that alter the DOM, or call eval. The full list is published on the GNU website.

GNU LibreJS makes these distinctions for the user when it is installed in Firefox and compatible browsers. It blocks all JavaScript that is considered not trivial, and allows JavaScript that it considers trivial.

The extension adds an icon to the browser's toolbar that highlights the number of blocked JavaScript references on the page. A click displays accepted and blocked JavaScript, and controls to change the status of the entire website or individual scripts or code. You can whitelist or blacklist an entire site, or individual code snippets or scripts. The extension remembers these across sessions.

Options to show the JavaScript code are provided, as is an option to forget all custom settings or individual custom settings.

Closing Words

The use of GNU LibreJS improves privacy and security while using the web browser the extension is installed in. Users should run into fewer compatibility issues with sites, as trivial JavaScript is allowed to run. It may still be necessary to adjust the allow and disallow lists and individual scripts regularly to get certain websites to work properly.

Now You: how do you handle JavaScript?

Summary
software image
Author Rating
1star1star1star1star1star
3.5 based on 8 votes
Software Name
GNU LibreJS
Software Category
Browser
Landing Page
Advertisement

Previous Post: «
Next Post: «

Comments

  1. banita said on September 7, 2022 at 5:05 pm
    Reply

    I was using noscript for several years before I realized I had too much time to spend configuring each new page. too many problems and few advantages. I don’t use anything to block js, and I’m happier.

    1. Allwynd said on September 7, 2022 at 6:21 pm
      Reply

      That’s just painful to imagine. To tweak every single page, I’d go nuts in the first 30 seconds.

      I remember way back before Chrome even existed, me and a friend had a discourse which was better – Firefox or Opera. Back then there was no Chrome, so obviously I liked and used Firefox, it had add-ons, especially the ones that blocked ads, but opera did not. It had some useless widgets like Clock or Calculator or Calendar, and it could only block ads if you right-click each ad on each web page and manually block it.

      Our argument ended when I told him that Firefox can block ads instantly and automatically compared to Opera requiring each ad to be manually blocked.

      That’s just a pain in the neck.

    2. umatrixrulez said on September 7, 2022 at 7:05 pm
      Reply

      noscript is indeed painful to configure due to it’s ancient interface, but with uMatrix you can do everything in a few clicks. It”s also capable of blocking way more than just JS.

  2. Tom Hawack said on September 7, 2022 at 5:27 pm
    Reply

    When I encounter a webpage displaying/running incorrectly I have to check,

    1- uBlock Origin : I have set default permissions to lowest and must allow or not 1st-party scripts, 3rd-party scripts, 3rd-party frames, sometimes block inline scripts …

    2- CleanLinks : I have to check what is blocked if applicable.

    3- CanvasBlocker : I have to check if a site wouldn’t require in particular Canvas itself (very seldom).

    4- Referer Modifier : I’ve set Default for any domain = target and for same domain = prune. Some domains accept neither (require “keep”).

    5- WebAssembly and WebGL : both disabled by default, but two home-made buttons to toggle if really required.

    That’s about it, but enough to have not added the ‘NoScript’ extension in older days.

    I’ve just tried this ‘LibreJS’ extension :

    I had to whitelist [geoportail.gouv.fr] (or go through scripts 1 by one) : the domain is trustworthy as far as I know.
    I tested some Wikipedia pages : several scripts blocked yet the page displayed correctly apart from the ‘Contents’ open/close drop-down menu (opened) : either whitelist Wikipedia or those of its blocked scripts pertaining to the ‘Contents’ menu …

    I just don’t have the time.
    Speaking to myself : “You don’t have the time for security or are you plain lazy”
    Answering to my alter ego : “Security-lazy, me, with all that I handle already for security and privacy?”
    Alter replied ; “Well then why not add ‘LibreJS’ as extra security?”
    I smatched with a : “Because I consider (though may be wrong) that all that I’ve set is enough to handle quite an array of security and privacy intrusions. What do you say about that?”
    Alter sighed. We remain on good terms but i think he’s disappointed.

    1. Tom Hawack said on September 7, 2022 at 5:45 pm
      Reply

      I forgot ‘LocalCDN’ when some sites (few) require being added to the ‘Apply HTML filter for these domains:’
      I also forgot that some sites (very few) require the user-agent to be set to ‘Chrome’ and even fewer won’t open because they’ve set their GDPR consent in such a way that the only work-around is to set for them user-agent = Google Bot or Microsoft Bot (i.e [slate.fr])

      When the goin’ gets tough the tough get goin’ … hard for a farniente-driven guy as myself. Sometimes I wonder if Web life wouldn’t be worth keeping all defaults (OS and browser), no privacy not security tweaks, a Coconut Margarita in a hammock with blue ocean and sky. And the lady. You get the idea.

    2. Andy Prough said on September 7, 2022 at 6:27 pm
      Reply

      @Tom –
      >”1- uBlock Origin : I have set default permissions to lowest and must allow or not 1st-party scripts, 3rd-party scripts, 3rd-party frames, sometimes block inline scripts …”

      Yes, this is the way I prefer to handle js, with uBlock origin in advanced mode, or better yet with the remarkable ?Matrix extension on Pale Moon. On Brave, I use noscript or uBlock Origin. The nice thing about uBlock and ?Matrix is that they both also block ads and trackers. One stop shopping for all my blocking needs.

      I spend most of my browsing time with the links2 terminal browser which isn’t able to run any javascript, so there’s nothing more javascript-wise to think about with that browser.

      1. Tom Hawack said on September 7, 2022 at 6:40 pm
        Reply

        @Andy Prough, not to mention handles as well some features requiring other extensions… uMatrix s no longer maintained by Raymond Hill (developer of uBO for those who wouldn’t know), yet perhaps remains sufficiently valid over time. I hadn’t even tried it then because I assumed it’d be over my capacities together with the fact that I considered that uBO together with a few other extensions would make it sufficiently for my ‘eXperience’ …

        I think some other developer is maintaining uMatrix in his own way, not sure.

        @Andy, what do you think of the ‘NoScript’ and this ‘LibreJS’ extensions?

      2. Andy Prough said on September 7, 2022 at 8:38 pm
        Reply

        @Tom
        I meant to say “eMatrix” (or the Greek letter ‘e’), it’s a new Pale Moon extension that has brought the old uMatrix back to life. It’s actually not any more complicated than uBlock in advanced mode – in fact it’s a bit easier in a lot of ways. Just takes some getting used to.

        I’ve been a noscript user on-and-off since the mid-2000’s when it was fairly new. I’m very used to it and very comfortable with it, and I think that its defaults keep the user very safe. I prefer uBlock or eMatrix because they add in the ad-blocking and tracker blocking, but for a browser like Brave with built-in ad-blocking, all I really need to add is noscript.

        I’ve used LibreJS at various times, mainly because I’ve used the GNU IceCat version of Firefox, which normally comes with LibreJS. I think it’s similar to noscript in that in its default state it will keep you pretty safe, but once again I prefer uBlock or eMatrix with the ad-blocking and tracker blocking. I prefer noscript over LibreJS because I’m more used to noscript, but either of them will allow things to be whitelisted, so for my purposes they have a lot in common.

      3. Tom Hawack said on September 7, 2022 at 10:01 pm
        Reply

        @Andy Prough, [epsilon]matrix, OK :) But only for Pale Moon, anyway as you use it.

        Thanks for your reviews of NoScript and LibreJS. You’ve experienced both which is what I was hoping for before wishing to know your feelings about both were, are.

        You mentioned in your first comment the links2 terminal browser. That’s an environment I have no idea of. I guess you’re really a techie :) Always interesting and beneficial nevertheless to discover world somewhere over the rainbow (one fifth techie, one fifth poet and three fifths dreamer here!).- Thanks.

      4. Tom Hawack said on September 7, 2022 at 10:17 pm
        Reply

        @Andy, that was rather [eta]matrix [https://en.m.wikipedia.org/wiki/Eta] and of course not epsilon (nor upsilon!).

    3. ShintoPlasm said on September 7, 2022 at 9:07 pm
      Reply

      @Tom:

      Interested to know which websites you’ve encountered that actually require WebAssembly and/or WebGL to work, if you don’t mind sharing.

      1. Tom Hawack said on September 7, 2022 at 9:42 pm
        Reply

        @ShintoPlasm, these are those I’ve experienced, but I don’t surf as I used to twenty years ago. I’m getting anchored to fewer sites so there’s undoubtedly many more :

        WebAssembly :
        [https://privatebin.net/]
        [https://paste.i2pd.xyz/]
        [https://sqliteonline.com/]
        https://stellarium-web.org/%5D

        WebGL :
        [https://www.instantstreetview.com/] : makes it without, makes it far better with.
        [https://www.google.com/maps/] : makes it without, makes it far better with.
        [https://histography.io/] : won’t run without.
        [http://radio.garden/] : won’t run without.

        Concerning Google Maps I guess any site running actively an embedded Google Maps will run that embed far better with WebGL enabled. Personally I block embedded Google Maps (btw many sites now prefer embedded OpenStreetMap) and open Google Maps very seldom, less and less, mainly for Google Street View because I just love moving around almost as if i were there :=)

        Far from being exhaustive, certainly. I don’t want WebAssembly nor WebGL to be enabled by default so the two toolbar buttons I’ve created (userChromeJS scripts in fact) simply allow to toggle “javascript.options.wasm” (true/false)and “webgl.disabled” (false/true) when visiting sites requiring either. I’ve associated an animated png (apng) to activate when the setting is true for the former, false for the latter, in order to be aware to disable when exiting the site. Unfortunately I don’t know how to build an extension that would allow to remember site specifically.

      2. Tom Hawack said on September 7, 2022 at 9:49 pm
        Reply

        EDIT : the last item in the list noted as requiring WebAssembly is of course [https://stellarium-web.org/]
        I had forgotten the first bracket. CopyPaste and I have always had a problamatic relationship but I’m the only to blame, lol.

      3. Tom Hawack said on September 7, 2022 at 9:51 pm
        Reply

        @ShintoPlasm, these are those I’ve experienced, but I don’t surf as I used to twenty years ago. I’m getting anchored to fewer sites so there’s undoubtedly many more :

        WebAssembly :
        [https://privatebin.net/]
        [https://paste.i2pd.xyz/]
        [https://sqliteonline.com/]
        [https://stellarium-web.org/]

        WebGL :
        [https://www.instantstreetview.com/] : makes it without, makes it far better with.
        [https://www.google.com/maps/] : makes it without, makes it far better with.
        [https://histography.io/] : won’t run without.
        [http://radio.garden/] : won’t run without.

        Concerning Google Maps I guess any site running actively an embedded Google Maps will run that embed far better with WebGL enabled. Personally I block embedded Google Maps (btw many sites now prefer embedded OpenStreetMap) and open Google Maps very seldom, less and less, mainly for Google Street View because I just love moving around almost as if i were there :=)

        Far from being exhaustive, certainly. I don’t want WebAssembly nor WebGL to be enabled by default so the two toolbar buttons I’ve created (userChromeJS scripts in fact) simply allow to toggle “javascript.options.wasm” (true/false)and “webgl.disabled” (false/true) when visiting sites requiring either. I’ve associated an animated png (apng) to activate when the setting is true for the former, false for the latter, in order to be aware to disable when exiting the site. Unfortunately I don’t know how to build an extension that would allow to remember site specifically.

      4. Shiva said on September 8, 2022 at 11:22 am
        Reply

        @Tom Hawack
        >…so the two toolbar buttons I’ve created (userChromeJS scripts in fact)

        Nice idea these buttons, do you happen to know any clear and easy tutorial for those who want to learn how to make some simple userChromeJS scripts? To enable/disable some parameters I use this script by adding the related entries:

        https://github.com/garywill/aboutconfig-menu –>

        {
        name: “WebGL Disabled”,
        type: prefs.PREF_BOOL,
        pref: “webgl.disabled”,
        possibleVals: [
        { name: “False” , val: false },
        { name: “True” , val: true },
        ]
        },

        Indeed it might be useful to make a feature request to the developer who already had an excellent idea to change the colors of the items in the menu when they have a changed value.

      5. Tom Hawack said on September 8, 2022 at 1:16 pm
        Reply

        @Shiva,

        Sorry for the above double comment. Because of a mistake of mine which postponed the display of my comment I repeated the comment rather than waiting for it to appear later on… sometimes I forget even after so many years posting here.

        Concerning userChromeJS : I think the best way to understand how to implement it (in Firefox anyway) is to consider xiaoxiaoflood’s dedicated GitHub repo : [https://github.com/xiaoxiaoflood/firefox-scripts]

        It’s really easy to install. The repo includes various userChrome scripts as well and others are available on various pages, mainly for what I know on GitHub pages : the best is to search GitHub for ‘UserChromeJS’ ..

        It’s fairly easy to modify available userChromeJS scripts to adapt them for our own needs. That’s what I do.

        For instance, the two toolbar buttons userChromeJS buttons mentioned above are simply scripts I modified to deal with toggling WebAssembly and WebGL about:config prefs. Hereafter for whome may be curious/interested :

        Toggle-WebAssembly.uc.js :
        [https://paste.i2pd.xyz/?425957642405131c#jLkwKzUZFPpmXx6N7KxyVWtQhAPAkJx2n6YDhXv3nVh]

        Toggle-WebGL.uc.js :
        [https://paste.i2pd.xyz/?4d267d489b544317#DxkdhKSVs7CL84Sr7rMRkKpxT4KXvQ9GzcZAHC2NHiDy]

        *Note : these pages require WebAssembly, lol!

        Really worth it. You can perform so much with this.

      6. Shiva said on September 8, 2022 at 2:12 pm
        Reply

        @Tom Hawack,

        Ah! Ah! Ah! You did a good job to remind yourself not to have some preferences enabled! :-) Thanks, I have saved a button as template, it will be useful to me. I will certainly use the animated png as well. https://sourceforge.net/u/maxst/profile/

        Currently as sources I have already bookmarked Alice0775, Aminomancer, Aris-t2, Garywill and Xiaoxiaoflood. The truth is that I can’t make heads or tails this time, so for once I am not being lazy and would like to try to learn from scratch.

      7. Tom Hawack said on September 8, 2022 at 3:19 pm
        Reply

        @Shiva, I share some of the sources you mention : Alice0775, Aris-t2 and of course Xiaoxiaoflood

        I discover Aminomancer and Garywill

        I have four others :
        ardiman [https://github.com/ardiman/userChrome.js]
        duponyjoy [https://github.com/dupontjoy/userChrome.js-Collections-]
        Endor8 [https://github.com/Endor8/userChrome.js/]
        harv [https://github.com/harv/userChromeJS/]

        Funny anecdote : a developer had declared (and hasn’t updated!) : “userChrome.js – obsolete in Firefox 72” [https://luke-baker.github.io/] which has proven to be wrong, right?!

        About Animated PNGs : personally I build mine at [https://ezgif.com/apng-maker] : builds and edits as well, nice for deconstructing a given apng.

        I just love these constructive dialogs, exchanges :)

      8. Shiva said on September 8, 2022 at 6:55 pm
        Reply

        As an All-In-One-Sidebar orphan, I recommend ‘Sidebar Switch’ by Garywill. I can’t tell you the times I unnecessarily moved the mouse to the left side by clicking to open the sidebar until this script.

        >I just love these constructive dialogs

        Ah! I took a look at the repositories I didn’t know about, now there is still some room to stay lazy with trials and error! And I gained a button.

      9. Tom Hawack said on September 8, 2022 at 9:36 pm
        Reply

        @Shiva, as I review our comments I realize that I may have misunderstood your question when you wrote above “[…] do you happen to know any clear and easy tutorial for those who want to learn how to make some simple userChromeJS scripts?”

        You were as it seems searching on how to build userChromJS scripts, not how to implement userChromeJS.
        Anyway, it may have helped others. Your aim as I understand it now is to find a tutorial on how to build a userChromeJS script, you’d like to build them by yourself as it seems. For that I have no answer unfortunately. But as always, adapting, converting, trial & error are excellent teachers I guess, even if may take more time.

        I had a look at [https://garywill.github.io/#Firefox-userChrome-CSS-or-JS]. Indeed interesting stuff. Bookmarked!

    4. Hitomi said on September 19, 2022 at 2:49 pm
      Reply

      > 5- WebAssembly and WebGL : both disabled by default, but two home-made buttons to toggle if really required.

      Please share these on pastebin.

      1. Hitomi said on September 19, 2022 at 2:58 pm
        Reply

        Sorry I see this disables the sandbox. Politely passing.

  3. Anonymous said on September 7, 2022 at 6:23 pm
    Reply

    Why would you use JS if you don’t want to change the DOM? By considering DOM changes as non-trivial this seems to penalize the most valid reason to use JS in the first place.

  4. Anonymous said on September 7, 2022 at 8:28 pm
    Reply

    I think that I shall give this one a pass for now. It has only 43 users!
    I tend to check the number of users before I install an extension.
    The one with the most users usually gets the nod from me.
    (If there are other alternatives, naturally. Otherwise I don’t install anything in that category.) At the moment I use UBO to disable JS.

  5. Anonymous said on September 7, 2022 at 11:45 pm
    Reply

    Five one-star and two-star rating out of 43 users.

    1. Anonymous said on September 8, 2022 at 9:50 pm
      Reply

      That makes no difference to me.

  6. grep said on September 8, 2022 at 1:58 am
    Reply

    I’m happy with NoScript, but I recognize it’s not for everyone, and don’t recommend it to non-geek clients. It’s a bitch to get used to, but I’ve been using it for more than a decade, so my very long “per-site permission” list (which I review and cull periodically) ensures it’s not nearly as intrusive as it was at the start.

    I also use UBO and CanvasBlocker, and have FF settings locked down pretty tight.

  7. owl said on September 8, 2022 at 5:22 am
    Reply

    By using this browser extension “GNU LibreJS” to use,
    I am able to verify that the “nontrivial JavaScript” details.
    Its capabilities remind me of uMatrix and eMatrix (Pale Moon extension), which I preferred to use in the past. Neither of these are used now (because I felt uBO was sufficient).
    I measured the “resources” in the browser’s task manager (about:performance) and it stayed at 0 KB even while browsing.
    This is awesome!

    If it doesn’t demand system resources and doesn’t cause conflicts, I found it useful to easily, individually nontrivial JavaScript and to control them (Whitelist, Blacklist).

    1. owl said on September 8, 2022 at 5:40 am
      Reply

      > I measured the “resources” in the browser’s task manager (about:performance) and it stayed at 0 KB even while browsing.

      I was misunderstanding about the Name of the extension.
      GNU LibreJS: 81 KB.

  8. Reno Sifana Paksi said on September 8, 2022 at 4:52 pm
    Reply

    Hi. When I tried to install GNU LibreJS a while ago I uninstalled it again. When after I uninstall some web pages like Wikipedia the font looks too small as usual (Zoom level is 100%) the font is not legible. I don’t know if it’s because of GNU LibreJS or not.

  9. awc said on September 9, 2022 at 5:57 am
    Reply

    thought we know by now that free or not free is irrelevant when it comes to security. open sourced stuff can be poisoned.

    just block everything.

    1. owl said on September 9, 2022 at 8:38 am
      Reply

      > thought we know by now that free or not free is irrelevant when it comes to security. open sourced stuff can be poisoned.
      just block everything.

      You are misinterpreting the meaning.
      Please check the official website of this browser extension and other sites first, neatly.

      LibreJS – GNU Project – Free Software Foundation
      https://www.gnu.org/software/librejs/
      GNU LibreJS aims to address the JavaScript problem described in Richard Stallman’s article The JavaScript Trap. LibreJS is a free add-on for GNU IceCat and other Mozilla-based browsers. It blocks nonfree nontrivial JavaScript while allowing JavaScript that is free and/or trivial.

      The JavaScript Trap – GNU Project – Free Software Foundation
      https://www.gnu.org/philosophy/javascript-trap.html

      “Block JavaScript (JS)” with NoScript, uMatrix, uBO, etc. However, it cannot check the specific details of those JavaScript (which are usually a combination of many JS) (again, user have to look them up again own self).

      The advantage of this browser extension, GNU LibreJS, is that it does not just block JS, but allows you to see the details of “non-trivial JavaScript.

      I currently block all JS by default using “uBO”.
      By adding this extension, I will have “all of those JS explicitly and specifically listed” so I can better understand the actual situation (whether blocking is necessary or not).

      It is not a matter of which one to choose (from uBO, etc.), but the usefulness (complementary function) of this extension to “know what kind of JS it is”.

  10. pd said on September 10, 2022 at 3:48 am
    Reply

    Great idea IN THEORY except for Stallman’s pignorance about licensing.

    Nobody cares!

    Break sites because your stupid extension

    a) cares too much about licensing … arguably destroying the most trivial learning and innovation strength of the web: copy and paste!

    b) if ( jQuery ) { BREAK_SITE = true } // FFS, Stallman by name, stall man by nature: blocks all innovation and progress with his puritanical OCD

    Please, can someone fork this and get rid of the licensing obsession? Users deserve a means of blocking JS that is not a) dependant on someone’s arbitrary politics; b) global by default, requiring everyone to know that most legitimate JS functionality is served up by third party CDNs.

    1. owl said on September 10, 2022 at 11:47 pm
      Reply

      @pd,
      > Please, can someone fork this and get rid of the licensing obsession?

      This browser extension is part of the GNU Project.
      GNU Project – Wikipedia
      https://en.wikipedia.org/wiki/GNU_Project
      GNU General Public License – Wikipedia
      https://en.wikipedia.org/wiki/GNU_General_Public_License
      The project is available in the Git repository and anyone can join as a contributor.
      Why don’t you join the project instead of begging others to “Please, can someone fork…”?

      LibreJS development happens in its Git repository.
      librejs.git – LibreJS
      https://git.savannah.gnu.org/cgit/librejs.git/

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.