为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Feature Request: Javascript libraries of which the versions are in better control

  • 3 个回答
  • 5 人有此问题
  • 6 次查看
  • 最后回复者为 Jasper1984

more options

This essentially aimed at the developpers:

Anyone who browsed with noscript, or used ghostery, knows the web is full of javascript. These are often downloaded from separate websites.(for no apparent reason, they can easily be hosted locally) This is a bad thing:

  • Accessing these gives the the http-referrer(presumably) so it indicates someone where you are browsing.(though other resources do this too)
  • Javascript is nowhere as secure as html in terms of potential weaknesses.
  • Javascript is -plainly- designed to have access to the web page, or the current url.
  • These are often accessed via http, it could be spoofed to return a different
  • The servers it came from can outright change it at any point, and the user has little control, even if the javascript source code unobfuscated, there is no time to do so as it is in the hands of the users immediately.

For this reason i suggest implementing a library(package system) for these javascripts, of which the packages are signed, and the user controls when they are updated. It should be easy to use and add these libraries for developpers, preferably, additional people can attest they read the source code and approve of it.

Well, to be honest, i cannot really suggest entirely how to do it, i just dont know enough. And it has to be entirely transparent to users, at least. Some kind system that detects that people have checked the source code, and/or a default time duration.(depending on the package)

Of course this has to be coordinated with other browsers/standards creation. This sounds hard and it seems like you're already doing a really good job at it.(And at developping FF in general)

This essentially aimed at the developpers: Anyone who browsed with noscript, or used ghostery, knows the web is full of javascript. These are often downloaded from separate websites.(for no apparent reason, they can easily be hosted locally) This is a bad thing: * Accessing these gives the the http-referrer(presumably) so it indicates someone where you are browsing.(though other resources do this too) * Javascript is nowhere as secure as html in terms of potential weaknesses. * Javascript is -plainly- designed to have access to the web page, or the current url. * These are often accessed via http, it could be spoofed to return a different * The servers it came from can outright change it at any point, and the user has little control, even if the javascript source code unobfuscated, there is no time to do so as it is in the hands of the users immediately. For this reason i suggest implementing a library(package system) for these javascripts, of which the packages are signed, and the user controls when they are updated. It should be easy to use and add these libraries for developpers, preferably, additional people can attest they read the source code and approve of it. Well, to be honest, i cannot really suggest entirely how to do it, i just dont know enough. And it has to be entirely transparent to users, at least. Some kind system that detects that people have checked the source code, and/or a default time duration.(depending on the package) Of course this has to be coordinated with other browsers/standards creation. This sounds hard and it seems like you're already doing a really good job at it.(And at developping FF in general)

所有回复 (3)

more options

Hi Jasper, to give a specific example, if Firefox were to find a site using a particular version of jQuery then it would instead use a pre-validated copy of that library from a trusted site or from the Firefox program folder?

I think this would be a complex project, but perhaps an extension developer would consider building it, at least to demonstrate how it could be done?

This forum is like an emergency room so your suggest may get lost here. You can submit a version to the Input site (Help > Submit Feedback connects you) or on a Mozilla mailing list. Not sure which one would be right for this idea, but you could take a look here: https://lists.mozilla.org/.

more options

Nearly exactly what i mean. However, that interaction with the website developpers is somewhat hostile? I mean you go about searching for known javascript libraries, and replacing them with local ones, basically trying to combine the website and users intent. If website owners get annoyed, they might try renaming stuff, slightly altering..

On the other hand, if it is provided as a way to get the libraries, website developpers choose it for you. Of course guarantees, for instance having some sort LTS versions or some such could help attract usage.

And of course, you can also do both trying to detect and luring in usage.

Thanks for the quick response, i'll see if i can pass this on to the right place on the list if that is alright for you.(probably tommorrow)

more options

Sent basically what i wrote here to https://groups.google.com/forum/#!forum/mozilla.dev.webapi hasnt appeared there yet. Title is "Javascript libraries; give users more control by making user-controlled repositories" (probably will be to lazy to put specific link here)