Some time ago I tried to use LibreJS in my default web browser, but then disabled it, because of lack of good understanding of how does it work and what exactly it does.
In my understanding, the main features of LibreJS are: 1. Detect non-free JS. 2. Block non-free JS. One of the main reasons for that is to protect the user from the code that's likely to be malicious in one way or another. Yes, there are sandboxes and anti-fingerprinting measures for JS in modern web browsers, but AFAIK they do not provide 100% protection for user safety and privacy anyway. Now let's imagine the user-base of LibreJS is huge, and many websites have to take that user-base into account (unfortunately, I doubt all this is true now). If site publisher decides to serve some malicious minified / obfuscated JS code to all the visitors, and provides fake information about the license and source code on the webpage, in order to cheat LibreJS, are there any countermeasures for that? If there's nothing, then both those main features fail to work in that specific case. I understand, that this issue is not unique to LibreJS only, but to all software in general. Many software projects currently try to adopt reproducible builds practices [1]. But due to the nature of the Web, running JS code from untrusted third-parties is very common, and there seems to be no easy solution to follow that practice for every single website. Instead of LibreJS, for now I chose to disable JS altogether on almost all websites I visit. Extensions like NoScript and uBlock Origin both can block all JS code by default on non-whitelisted websites. As studying and understanding full source code of LibreJS is not my top priority currently (unfortunately), I decided to ask here about the issue I'm concerned about, so maybe someone familiar with the internal workings will be able to answer it. [1]: https://reproducible-builds.org/
