(A canonical version of this article will soon be published on gnu.org.)

The Javascript Trap

by Richard M. Stallman

You may be running non-free programs on your computer every day without realizing it -- through your web browser.

In the free software community, the idea that non-free programs mistreat their users is familiar. Some of us refuse entirely to install proprietary software, and many others consider non-freedom a strike against the program. Many users are aware that this issue applies to the plug-ins that browsers offer to install, since they can be free or non-free.

But browsers run other non-free programs which they don't ask you about or even tell you about -- programs that web pages contain or link to. These programs are most often written in Javascript, though other languages are also used.

Javascript (officially called ECMAscript, but few use that name) was once used for minor frills in web pages, such as cute but inessential navigation and display features. It was acceptable to consider these as mere extensions of HTML markup, rather than as true software; they did not constitute a significant issue.

Many sites still use Javascript that way, but some use it for major programs that do large jobs. For instance, Google Docs downloads into your machine a Javascript program which measures half a megabyte, in a compacted form that we could call Obfuscript because it has no comments and hardly any whitespace, and the method names are one letter long. The source code of a program is the preferred form for modifying it; the real source code of this program is not available to the user.

Browsers don't normally tell you when they load Javascript programs. Most browsers have a way to turn off Javascript entirely, but none of them can check for Javascript programs that are nontrivial and non-free. Even if you're aware of this issue, it would take you considerable trouble to identify and then block those programs. However, even in the free software community most users are not aware of this issue; the browsers' silence tends to conceal it.

It is possible to release a Javascript program as free software, by distributing the source code under a free software license. But even if the program's source is available, there is no easy way to run your modified version instead of the original. Current free browsers do not offer a facility to run your own modified version instead of the one delivered in the page. The effect is comparable to tivoization, although not quite so hard to overcome.

Javascript is not the only language web sites use for programs sent to the user. Flash supports programming through an extended variant of Javascript. We will need to study the issue of Flash to make suitable recommendations. Silverlight seems likely to create a problem similar to Flash, except worse, since Microsoft uses it as a platform for non-free codecs. A free replacement for Silverlight would hardly be of use in the free world without free replacement codecs.

Java applets also run in the browser, and raise similar issues. In general, any sort of applet system poses this sort of problem. Having a free execution environment for an applet only brings us far enough to encounter the problem.

A strong movement has developed that calls for web sites to communicate only through formats and protocols that are free (some say "open"); that is to say, whose documentation is published and which anyone is free to implement. With the presence of programs in web pages, that criterion is necessary, but not sufficient. Javascript itself, as a format, is free, and use of Javascript in a web site is not necessarily bad. However, as we've seen above, it also isn't necessarily ok. When the site transmits a program to the user, it is not enough for the program to be written in a documented and unencumbered language; that program must be free, too. "Only free programs transmitted to the user" must become part of the criterion for proper behavior by web sites.

Silently loading and running non-free programs is one among several issues raised by "web applications". The term "web application" was designed to disregard the fundamental distinction between software delivered to users and software running on the server. It can refer to a specialized client program running in a browser; it can refer to specialized server software; it can refer to a specialized client program that works hand in hand with specialized server software. The client and server sides raise different ethical issues, even if they are so closely integrated that they arguably form parts of a single program. This article addresses only the issue of the client-side software. We are addressing the server issue separately.

In practical terms, how can we deal with the problem of non-free Javascript programs in web sites? Here's a plan of action.

First, we need a practical criterion for nontrivial Javascript programs. Since "nontrivial" is a matter of degree, this is a matter of designing a simple criterion that gives good results, rather than determining the one correct answer.

Our proposal is to consider a Javascript program nontrivial if it defines methods and either loads an external script or is loaded as one, or if it makes an AJAX request.

At the end of this article we propose a convention by which a nontrivial Javascript program in a web page can state the URL where its source code is located, and can state its license too, using stylized comments.

Finally, we need to change free browsers to support freedom for users of pages with Javascript. First of all, browsers should be able to tell the user about nontrivial non-free Javascript programs, rather than running them. Perhaps NoScript could be adapted to do this.

Browser users also need a convenient facility to specify Javascript code to use *instead* of the Javascript in a certain page. (The specified code might be total replacement, or a modified version of the free Javascript program in that page.) Greasefire comes close to being able to do this, but not quite, since it doesn't guarantee to modify the Javascript code in a page before that program starts to execute. Using a local proxy works, but is too inconvenient now to be a real solution. We need to construct a solution that is reliable and convenient, as well as sites for sharing changes. The GNU Project would like to recommend sites which are dedicated to free changes only.

These features will make it possible for a Javascript program included in a web page to be free in a real and practical sense. Javascript will no longer be a particular obstacle to our freedom -- no more than C and Java are now. We will be able to reject and even replace the non-free nontrivial Javascript programs, just as we reject and replace non-free packages that are offered for installation in the usual way. Our campaign for web sites to free their Javascript can then begin.

Thank you to Matt Lee and John Resig for their help in defining our proposed criterion.

Appendix: a convention for releasing free Javascript programs

For references to corresponding source code, we recommend

   // @source:

followed by the URL.

To indicate the license of the Javascript code embedded in a page, we recommend putting the license notice between two notes of this form:

   @licstart  The following is the entire license notice for the 
   Javascript code in this page.
   ...
   @licend  The above is the entire license notice
   for the Javascript code in this page.

Of course, all of this should be contained in a multiline comment.

The GNU GPL, like many other free software licenses, requires distribution of a copy of the license with both source and binary forms of the program. However, the GNU GPL is long enough that including it in a page with a Javascript program can be inconvenient. You can remove that requirement, for code that you have the copyright on, with a license notice like this:

   Copyright (C) YYYY  Developer

   The Javascript code in this page is free software: you can
   redistribute it and/or modify it under the terms of the GNU
   General Public License (GNU GPL) as published by the Free Software
   Foundation, either version 3 of the License, or (at your option)
   any later version.  The code is distributed WITHOUT ANY WARRANTY;
   without even the implied warranty of MERCHANTABILITY or FITNESS
   FOR A PARTICULAR PURPOSE.  See the GNU GPL for more details.

   As additional permission under GNU GPL version 3 section 7, you
   may distribute non-source (e.g., minimized or compacted) forms of
   that code without the copy of the GNU GPL normally required by
   section 4, provided you include this license notice and a URL
   through which recipients can access the Corresponding Source.

This work is licensed under the Creative Commons Attribution-No Derivative Works 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nd/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.