

Avoid the Pitfalls of the JavaScript Trap on Gmail - tjr
http://www.fsf.org/blogs/community/gmail-jstrap

======
iuguy
From the article:

"Further, we've recently seen companies such as Research In Motion (makers of
the Blackberry) advising customers to entirely disable JavaScript in the
WebKit browser on its devices because of a security problem that was
discovered. While free software JavaScript can have security problems too,
this example illustrates that we have a real need to be able to see what the
code we're running on our computers is actually doing, and change it."

I think the author doesn't understand how client side javascript works. If on
the other hand they're referring to server side Javascript, that has nothing
to do with the web browser over say, PHP. You don't necessarily get the source
to a PHP-based web app when you use it. Why so much Javascript hate?

~~~
romey
I think the rub here is not that they want to be able to see the script files,
it's that they want the javascript behind GMail and other big apps to be
released under a Free Software License.

~~~
DanI-S
I can understand the point, but is it really necessary to express it in a way
that evokes the works of L Ron Hubbard?

 _You may not be aware of the dangers of JavaScript — a problem we've deemed
The JavaScript Trap — proprietary software running on your computer, inside
your web browser._

Danger! Your very _soul_ is at risk!

This page is even worse: <http://www.gnu.org/philosophy/javascript-trap.html>

_Silently loading and running nonfree programs is one among several issues
raised by "web applications". The term "web application" was designed to
disregard the fundamental distinction between software delivered to users and
software running on the server._

Beware, dear reader. They may be starting with this fundamental distinction...
but your children will be next!

~~~
romey
I agree, it is rather unsettling how they frame their argument--there really
isn't an argument at all as to why these things should be released under such
a license, besides a vague allusion to security concerns. I love open source
stuff, but the Free Software Foundation always seemed to me like that annoying
vegan friend who never leaves you alone about the evils of animal products

the tagline in the link reads like a scary movie trailer: >You may be running
nonfree programs on your computer every day without realizing it--through your
web browser.

~~~
gamerman2360
Security concerns was not the only argument. "It's clear that JavaScript is a
very powerful and useful technology in the right hands. Many free software
developers have written add-ons and enhancements to popular websites thanks to
tools like Greasemonkey. There's a slew of fantastic free software
Greasemonkey scripts for Gmail. The existence of scripts like these shows both
that Gmail's JavaScript is not trivial, and that there are users who could
make useful, interesting contributions if the JavaScript were released as free
software for them to modify." They argue that we should be able to change
GMail's javascript code just like we do other applications we use.

~~~
quanticle
>They argue that we should be able to change GMail's javascript code just like
we do other applications we use.

What the FSF doesn't get is that its actually much _easier_ to change
proprietary JavaScript than it is to modify a binary running on your system.

~~~
gamerman2360
I think they do understand that. It is, however, nontrivial to edit compiled
JavaScript. There might also be legal complications to editing the scripts...

------
paul
How weird. Their position here seems to be that proprietary software running
on Google's servers generating html is ok, but proprietary javascript embedded
in those pages is not ok. (because it runs in your browser?)

~~~
brehaut
Server side code is what they have the affero GPL for:

“The GNU Affero General Public License is a modified version of the ordinary
GNU GPL version 3. It has one added requirement: if you run the program on a
server and let other users communicate with it there, your server must also
allow them to download the source code corresponding to the program that it's
running. If what's running there is your modified version of the program, the
server's users must get the source code as you modified it.…” —
<http://www.gnu.org/licenses/why-affero-gpl.html>

presumably they dont want the back end of gmail being proprietary either but
its not the point of the article?

------
wooptoo
FSF is going a bit too far here. Come on, Google even allows you to take your
data off their servers. What more do you want?

------
DjDarkman
This article is ridiculous and pointless JavaScript hate article.

JavaScript is not different from HTML and CSS, all of these are generated by a
sometimes proprietary service and executed in the browser.

This article is completely stupid because it not only misses the point of
JavaScript, it even contradicts itself:

\- if the UI is plain HTML/CSS and is generated server side and then fed to
your browser, you will never even have a clue how it works

\- if the UI is done with JavaScript on the client you can always de-obfuscate
it

> Further, we've recently seen companies such as Research In Motion (makers of
> the Blackberry) advising customers to entirely disable JavaScript in the
> WebKit browser on its devices because of a security problem that was
> discovered.

It seems the FSF wants to build a reputation by taking things out of context
and leaving out important bits. The security was probably found in the browser
and not in JavaScript, this is the same as advising someone to unplug the
computer because of a computer virus.

I am really disappointed by this short sighted article, the FSF should be
better than this.

------
mathrawka
April Fool's joke got out a little early?

~~~
brehaut
The corollary to Poe's law[1] is appropriate here: Even the most sincere
fundamentalism will be confused with with parody by a cynical enough audience.

[1] <http://en.wikipedia.org/wiki/Poes_law>

------
Sidnicious
I have a problem with this article, which is that treats JavaScript "programs"
as different from other resources on the web. Must the HTML and CSS which make
up a webpage be free? What about pictures, audio, and video?

JavaScript may be the most flexible language which web browsers natively
understand, but HTML has long included forms (now with support for validation)
and CSS lets authors program complex, interactive rules for presentation.

Even without JavaScript, websites like Gmail are undeniably applications (in
this case, a mail reader, manager, and composer), some part of which are
downloaded to and rendered by your own computer.

(P.S. I believe I've heard about more security vulnerabilities in browsers'
handling of images than in their JavaScript engines. Also, CSS is turning
complete:
[https://github.com/elitheeli/oddities/blob/master/rule110-gr...](https://github.com/elitheeli/oddities/blob/master/rule110-grid.html))

------
willscott
The benefit to Google of the current mode is the ability to rapidly change the
code pushed to your browser.

If there was a open source release of the gmail client code, it would force
google into maintaining an API for that code for the foreseeable future, which
would require additional effort.

The closest to this request that seems remotely likely is a client side API
for gmail, so that browser plugins or third party services could extend it. I
see a lot of cost to Google to actually release the code, and not a ton of
benefit.

------
amalag
Isn't the javascript at Gmail machine generated with GWT? Did I miss
something?

~~~
willscott
The Gmail frontend is written in javascript using the closure library.

<http://code.google.com/closure/>

You can look at the (compiled version) of the code by looking at the scripts
tab of the chrome web inspecter. They're there :)

~~~
Stormbringer
Where/how are they hiding the client side javascript?

