Condition to link to javascript code?

Condition to link to javascript code?

[Bastien]

Hi all,

what are the conditions to link to a Javascript library within Emacs
core code?

https://github.com/viebel/klipse is a Javascript library, published
under GPLv3, that allows code evaluation in HTML pages.

We would like to let the org-mode HTML exporter use Klipse so that
HTML exports of code blocks make them executable in the HTML output.

I see two potential problems:

1. librejs could complain about Klipse not being safe.

2. We need to use these links, which point to Google servers:

  <script src="https://storage.googleapis.com/app.klipse.tech/plugin_prod/js/klipse_plugin.min.js"></script>
  <link rel="stylesheet" type="text/css" href="https://storage.googleapis.com/app.klipse.tech/css/codemirror.css">

(2) is easy (but not practical) to circumvent, as we can host the
files anywhere.

(1) seems more problematic.

Any advice on how to deal with those issues?

Thanks!

-- 
 Bastien

Re: Condition to link to javascript code?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 325 bytes --]

On 2016-12-14 22:01, Bastien wrote: 
> 1. librejs could complain about Klipse not being safe.
> …
> (1) seems more problematic.

Could klipse be updated to include a LibreJS-friendly header?  Or could LibreJS be taught specifically about that library?  If so, there shouldn't be an issue with (1), right?

Clément.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Condition to link to javascript code?

[Bastien]

Hi Clément,

Clément Pit--Claudel <clement.pit@gmail.com> writes:

> On 2016-12-14 22:01, Bastien wrote: 
>> 1. librejs could complain about Klipse not being safe.
>> …
>> (1) seems more problematic.
>
> Could klipse be updated to include a LibreJS-friendly header?  Or
> could LibreJS be taught specifically about that library?  If so, there
> shouldn't be an issue with (1), right?

Yes, right -- I've already forwarded the documentation to the
klipse.js developer on how to make it librejs-compatible, I'll
see if he can take this road.

-- 
 Bastien

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > what are the conditions to link to a Javascript library within Emacs
  > core code?

How is such a thing even possible?

  > We would like to let the org-mode HTML exporter use Klipse so that
  > HTML exports of code blocks make them executable in the HTML output.

I don't understand what it means for an Emacs Lisp program to
"use Klipse".  Could you please explain the scenario in more
detail?  

  > 2. We need to use these links, which point to Google servers:

That is no good; it is not right to direct users to visit a particular
server, regardless of whose server it is -- whether it is Google, or
the FSF, or yours, or mine.

   1. librejs could complain about Klipse not being safe.

There are various ways to fix that.




-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Bastien Guerry]

Hi Richard,

Richard Stallman <rms@gnu.org> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > what are the conditions to link to a Javascript library within Emacs
>   > core code?
>
> How is such a thing even possible?

When a user exports an org-mode buffer to HTML, the HTML output can
contain links to external Javascript libraries.

We solved one of the problems by asking the author of the klipse
Javascript library to release it in a way that librejs accepts.

There is still the more general problem of linking to a library hosted
on Google's servers.

For example, the resulting HTML would contain these links:

https://storage.googleapis.com/app.klipse.tech/css/codemirror.css
https://storage.googleapis.com/app.klipse.tech/plugin_prod/js/klipse_plugin.min.js

Is it fine?

>   > We would like to let the org-mode HTML exporter use Klipse so that
>   > HTML exports of code blocks make them executable in the HTML output.
>
> I don't understand what it means for an Emacs Lisp program to
> "use Klipse".  Could you please explain the scenario in more
> detail?

Klipse is a Javascript library which allows to interpret a program
within a HTML page.

Take a simple Scheme sexp:

(+ 1 2)

When put within a HTML <code> tag:

<code>(+ 1 2)</code>

Then using klipse, this part of the HTML page becomes interactive.
You can edit it and evaluate it.

>   > 2. We need to use these links, which point to Google servers:
>
> That is no good; it is not right to direct users to visit a particular
> server, regardless of whose server it is -- whether it is Google, or
> the FSF, or yours, or mine.

This is not about *visiting* a server, it's about using a resource on
a server (in this case, the klipse.js library).

What do you suggest?

Asking users to download klipse.js and use it on their own servers?

It seems to me that the point of librejs is precisely to be able to
trust js code, even if it's not hosted on your server.

-- 
 Bastien

Re: Condition to link to javascript code?

[Elias Mårtenson]

[-- Attachment #1: Type: text/plain, Size: 640 bytes --]

On 19 December 2016 at 01:47, Bastien Guerry <bzg@gnu.org> wrote:


> There is still the more general problem of linking to a library hosted
> on Google's servers.
>
> For example, the resulting HTML would contain these links:
>
> https://storage.googleapis.com/app.klipse.tech/css/codemirror.css
> https://storage.googleapis.com/app.klipse.tech/plugin_
> prod/js/klipse_plugin.min.js


Wouldn't it make more sense to simply include these files in the package? I
can imagine it could be quite annoying to be on a plane when exporting a
HTML file and not being able to use the result just because one doesn't
have any Internet connectivity.

[-- Attachment #2: Type: text/html, Size: 1246 bytes --]

Re: Condition to link to javascript code?

[Bastien Guerry]

Hi Elias,

Elias Mårtenson <lokedhs@gmail.com> writes:

> On 19 December 2016 at 01:47, Bastien Guerry <bzg@gnu.org> wrote:
>
>     There is still the more general problem of linking to a library
>     hosted
>     on Google's servers.
>    
>     For example, the resulting HTML would contain these links:
>    
>     https://storage.googleapis.com/app.klipse.tech/css/codemirror.css
>     https://storage.googleapis.com/app.klipse.tech/plugin_prod/js/
>     klipse_plugin.min.js
>
> Wouldn't it make more sense to simply include these files in the
> package?

Yes, why not.

But I'd like to find a solution for users who are not currently in a
plane too.

So I really need to understand whether it is acceptable for a free
software to link to a GPLv3-licensed+librejs-accepted javascript
library on a Google server.

-- 
 Bastien

Re: Condition to link to javascript code?

[Elias Mårtenson]

[-- Attachment #1: Type: text/plain, Size: 542 bytes --]

On 19 December 2016 at 16:06, Bastien Guerry <bzg@gnu.org> wrote:

>
> But I'd like to find a solution for users who are not currently in a
> plane too.
>
> So I really need to understand whether it is acceptable for a free
> software to link to a GPLv3-licensed+librejs-accepted javascript
> library on a Google server.


But if you solve the problem for people on airplanes, then it's be solved
for everybody else since there will be no need to download anything from a
Google server, or did I completely misunderstand what this tool does?

[-- Attachment #2: Type: text/html, Size: 877 bytes --]

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > When a user exports an org-mode buffer to HTML, the HTML output can
  > contain links to external Javascript libraries.

I see.

  > We solved one of the problems by asking the author of the klipse
  > Javascript library to release it in a way that librejs accepts.

That will eliminate one problem for all the web pages that use klipse,
so it is a good thing.

  > There is still the more general problem of linking to a library hosted
  > on Google's servers.

That's the issue.  I don't think we should output references to a
library to be loaded directly off anyone's server.  (Google is no worse
or better than anyone else.)

  > Klipse is a Javascript library which allows to interpret a program
  > within a HTML page.

Does this mean it contains a Scheme interpreter written in Javascript?

Why in the world do we want Emacs to output such a thing???

  > This is not about *visiting* a server, it's about using a resource on
  > a server (in this case, the klipse.js library).

Yes, I know -- but either way it is directing the user to run software
off a specific server, and that's the issue.

  > It seems to me that the point of librejs is precisely to be able to
  > trust js code, even if it's not hosted on your server.

It avoids running nonfree software, but that still doesn't make
things entirely right.  Users should decide which version of a program
to run, not follow someone's decisions automatically.

  > Wouldn't it make more sense to simply include these files in the package? I
  > can imagine it could be quite annoying to be on a plane when exporting a
  > HTML file and not being able to use the result just because one doesn't
  > have any Internet connectivity.

That's another reason not to load files from a server.

  > Asking users to download klipse.js and use it on their own servers?

That would certainly solve the problem.  But I still have to ask,
why in the world do we want Emacs to output such a thing???


-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Stefan Monnier]

> So I really need to understand whether it is acceptable for a free
> software to link to a GPLv3-licensed+librejs-accepted javascript
> library on a Google server.

I think as long as this URL is not fetched automatically in unexpected
circumstances, I think it's fine, yes.  I.e. given that it's Free, the
main remaining issues are convenience and privacy.


        Stefan

Re: Condition to link to javascript code?

[Bastien Guerry]

Hi Elias,

Elias Mårtenson <lokedhs@gmail.com> writes:

> But if you solve the problem for people on airplanes, then it's be
> solved for everybody else since there will be no need to download
> anything from a Google server, or did I completely misunderstand what
> this tool does?

If everybody uses the resulting HTML on its own computer, then the
problem is solved: the HTML refers to a local klipse.js libarary that
the user can freely use.

But I expect most people want to put the resulting HTML somewhere on
a web server.  In this case, they might find useful to use klipse.js
by linking to the location of that library.

I'm not opposed to the "host-everything-you-can" solution but I need
to understand what are the conditions for linking to an external
javascript library, provided that this library is GLPv3, passes the
librejs tests successfully, and is hosted on Google's server.

-- 
 Bastien

Re: Condition to link to javascript code?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 551 bytes --]

On 2016-12-19 11:32, Bastien Guerry wrote:
> I'm not opposed to the "host-everything-you-can" solution but I need
> to understand what are the conditions for linking to an external
> javascript library, provided that this library is GLPv3, passes the
> librejs tests successfully, and is hosted on Google's server.

Legally, it's entirely fine.  Ethically, it would be nice to include a user-configurable variable, so that users can configure Org-mode to export a version of the HTML code that uses a self-hosted copy of Klipse.

Clément.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Condition to link to javascript code?

[Bastien Guerry]

Hi Richard,

thanks for your answer.

So we won't let org-mode output HTML links to a Javascript library
hosted on someone else's server.

Note that we already do this in org-mode for two Javascript libraries:

- info.js hosted on http://orgmode.org/org-info.js
- MathJax.js hosted on http://cdn.mathjax.org/mathjax/latest/MathJax.js

So I guess we have to remove these links too?

Richard Stallman <rms@gnu.org> writes:

> That would certainly solve the problem.  But I still have to ask,
> why in the world do we want Emacs to output such a thing???

Many users use org-mode to create web pages.

Some of these web pages are about programming.

Embedding a Scheme interpreter written in Javascript* in these pages
is a nice way of demonstrating how Scheme works: the web page reader
can read the code, modify it and evaluate it.

* http://www.biwascheme.org is the Javascript Scheme interpreter used
by the Klipse library.

-- 
 Bastien

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > If everybody uses the resulting HTML on its own computer, then the
  > problem is solved: the HTML refers to a local klipse.js libarary that
  > the user can freely use.

That's the case I had in mind.  But maybe I was mistaken.

  > But I expect most people want to put the resulting HTML somewhere on
  > a web server.  In this case, they might find useful to use klipse.js
  > by linking to the location of that library.

Is this feature mainly intended for exporting HTML to put on
a server for others to visit?  That does make sense, finally.

If it's a choice between linking to klipse.js on the same server
and linking to klipse.js on the Google server, I see no particular
ethical reason to prefer one or the other.

The ethical issue that does arise here is that it would be good to
give the user the power to optionally select a (perhaps modified)
version of klisp.js to use.  Is that possible?

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > So we won't let org-mode output HTML links to a Javascript library
  > hosted on someone else's server.

  > Note that we already do this in org-mode for two Javascript libraries:

  > - info.js hosted on http://orgmode.org/org-info.js
  > - MathJax.js hosted on http://cdn.mathjax.org/mathjax/latest/MathJax.js

  > So I guess we have to remove these links too?

Since you pointed out that the reason to make these files is to post
them on web sites for other people to visit, I've reconsidered that
conclusion.  In this scenario, there is nothing essentially wrong with
loading free JS from whichever site it might be.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Davis Herring]

> If it's a choice between linking to klipse.js on the same server
> and linking to klipse.js on the Google server, I see no particular
> ethical reason to prefer one or the other.

Are you concerned about the XSS possibilities if the other host (Google 
in this case) decided to change the JavaScript served at the well-known 
address to take advantage of its inclusion in a webpage with a security 
context?

Certainly the use of "standard" JavaScript libraries loaded from foreign 
servers is commonplace, but I think the security concern is at least 
worth considering (unless I completely misunderstand it).

Davis

-- 
This product is sold by volume, not by mass.  If it appears too dense or 
too sparse, it is because mass-energy conversion has occurred during 
shipping.

Re: Condition to link to javascript code?

[Rasmus]

Hi,

Richard Stallman <rms@gnu.org> writes:

>   > But I expect most people want to put the resulting HTML somewhere on
>   > a web server.  In this case, they might find useful to use klipse.js
>   > by linking to the location of that library.
>
> Is this feature mainly intended for exporting HTML to put on
> a server for others to visit?  That does make sense, finally.

Yes, it’s meant for exporting a Org file so other people can read it.  In
a recent example, an author was using the setup for publishing his
induction notes for programming for students on his website.

> If it's a choice between linking to klipse.js on the same server
> and linking to klipse.js on the Google server, I see no particular
> ethical reason to prefer one or the other.

OK.

> The ethical issue that does arise here is that it would be good to
> give the user the power to optionally select a (perhaps modified)
> version of klisp.js to use.  Is that possible?

Yes, it's  just the default  value of a defcustom.   You can change  it to
point to  whichever version  you like  — even on  a file-by-file  basis, I
think.

Rasmus

-- 
One thing that is clear: it's all down hill from here 

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Certainly the use of "standard" JavaScript libraries loaded from foreign 
  > servers is commonplace, but I think the security concern is at least 
  > worth considering (unless I completely misunderstand it).

I am no expert on that issue, so I defer to those who are.


-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > The ethical issue that does arise here is that it would be good to
  > > give the user the power to optionally select a (perhaps modified)
  > > version of klisp.js to use.  Is that possible?

  > Yes, it's  just the default  value of a defcustom.   You can change  it to
  > point to  whichever version  you like  — even on  a file-by-file  basis, I
  > think.

We are miscommunicating.

The defcustom can be set by the person who generates the HTML file and
posts it.  But that's not who I mean by "the user."

I'm talking about the user who visits that HTML file in a browser.
That is who will run klisp.js, so that's who really should have
control over which version of klisp.js to run.

Is there a way to set that up?

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Christopher Allan Webber]

Richard Stallman writes:

> If it's a choice between linking to klipse.js on the same server
> and linking to klipse.js on the Google server, I see no particular
> ethical reason to prefer one or the other.

There's one reason at least; using content from Google's servers can
result in Google collecting information about what web pages people are
visiting.

Re: Condition to link to javascript code?

[Rasmus]

Hi,

Richard Stallman <rms@gnu.org> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>   > > The ethical issue that does arise here is that it would be good to
>   > > give the user the power to optionally select a (perhaps modified)
>   > > version of klisp.js to use.  Is that possible?
>
>   > Yes, it's  just the default  value of a defcustom.   You can change  it to
>   > point to  whichever version  you like  — even on  a file-by-file  basis, I
>   > think.
>
> We are miscommunicating.

Indeed.

> The defcustom can be set by the person who generates the HTML file and
> posts it.  But that's not who I mean by "the user."
>
> I'm talking about the user who visits that HTML file in a browser.
> That is who will run klisp.js, so that's who really should have
> control over which version of klisp.js to run.

If I have write-access to the html file then yes; the user can change the
klipse.js URL in the header of the file.  If it is read-only, as when
published via to the web, then the user would need something like the
Firefox addon "Decentraleyes" (I don’t know if it works with GNU IceCat):

    Protects you against tracking through "free", centralized, content
    delivery. It prevents a lot of requests from reaching networks like
    Google Hosted Libraries, and serves local files to keep sites from
    breaking. Complements regular content blockers.

    https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/


> Is there a way to set that up?

I would advocate a user solution like "Decentraleyes" that would work in
general across pages.

Regards,
Rasmus

-- 
It was you, Jezebel, it was you

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > If it's a choice between linking to klipse.js on the same server
  > > and linking to klipse.js on the Google server, I see no particular
  > > ethical reason to prefer one or the other.

  > There's one reason at least; using content from Google's servers can
  > result in Google collecting information about what web pages people are
  > visiting.

Some other server might also collect data.

Also, is klipse.js likely to stay in the cache for a long time?
If so, whichever server it is will only find out the first time
someone gets klipse.js.


-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > I'm talking about the user who visits that HTML file in a browser.
  > > That is who will run klisp.js, so that's who really should have
  > > control over which version of klisp.js to run.

  > If I have write-access to the html file then yes; the user can change the
  > klipse.js URL in the header of the file.

In the general case, users who visit a web page in the browser do not
have write access to it on the server.  I'm concerned about that
general case.

Could you put some JS code into the page that would give the user
a way to specify a different URL for klipse.js?  Perhaps that could
be stored in a cookie or something else in the browser.

Regarding Decentraleyes:

  >   If it is read-only, as when
  > published via to the web, then the user would need something like the
  > Firefox addon "Decentraleyes" (I don’t know if it works with GNU IceCat):

Maybe it is a good solution, but I can't tell from what you sent.
Can you show me a clearer description of what features this addon
actually has?  I can't tell what this description implies

      > Protects you against tracking through "free", centralized, content
      > delivery. It prevents a lot of requests from reaching networks like
      > Google Hosted Libraries, and serves local files to keep sites from
      > breaking. Complements regular content blockers.

in regard to klipse.js.

Also, is Decentraleyes free software?  What is its license?


-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Achim Gratz]

Am 22.12.2016 um 20:54 schrieb Richard Stallman:
> Also, is klipse.js likely to stay in the cache for a long time?
> If so, whichever server it is will only find out the first time
> someone gets klipse.js.

That's a commonly held misconception.  Most CDN that use long cache 
expirations (a year is commonly seen) have separate mechanisms in place 
to ensure that the cached copy can be replaced/updated before 
expiration.  The CDN server will generally get at least one HEAD request 
for each vist, even if the cached copy for most or all of the actual 
library content is getting used in the end.

-- 
Achim.

(on the road :-)

Re: Condition to link to javascript code?

[Achim Gratz]

Am 22.12.2016 um 20:56 schrieb Richard Stallman:
> Could you put some JS code into the page that would give the user
> a way to specify a different URL for klipse.js?  Perhaps that could
> be stored in a cookie or something else in the browser.

You could do that by rewriting the page into the form that is then 
ultimately displayed in the browser.  But I don't consider that a good 
solution as the user doesn't know what's going to happen before trying 
to use the file (and not at all if the respective cookie already exists, 
which the user might have forgotten about or has been dropped in from 
somewhere).

> Maybe it is a good solution, but I can't tell from what you sent.
> Can you show me a clearer description of what features this addon
> actually has?

Basically, it intercepts requests to several CDN and delivers those 
files from a local repository (delivered with the extension) instead.

You can configure it to block requests to those CDN altogether even when 
the requested file is not locally available.  It doesn't cache anything 
not available from the repository (and also doesn't use anything in 
Firefox's cache).  That's a good thing in a way, but limits you to the 
selection of locally available files that come with the extension. 
Creating a custom repository is listed as a "planned feature", though.

>       > Protects you against tracking through "free", centralized, content
>       > delivery. It prevents a lot of requests from reaching networks like
>       > Google Hosted Libraries, and serves local files to keep sites from
>       > breaking. Complements regular content blockers.
>
> in regard to klipse.js.

I've not looked into it in much detail, but I think that klipse.js is 
not yet included in decentraleyes, so it would either block the request 
totally or allow it to go to the Google API CDN, depending on configuration.

The more permanent solution for this problem would be to use a local 
filtering/blocking (like privoxy, GPLv2).  It would also need to cache 
CDN files, which privoxy doesn't do; it must be chained with a caching 
proxy (like squid, GPLv2) to do that.  If it would then download missing 
files via TOR it could completely eliminate tracking via CDN.  It would 
sure be a nice thing to have something like that in a ready-to-use fashion.

> Also, is Decentraleyes free software?  What is its license?

MPL-2.0 according to the home page.


-- 
Achim.

(on the road :-)

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > That's a commonly held misconception.  Most CDN that use long cache 
  > expirations (a year is commonly seen) have separate mechanisms in place 
  > to ensure that the cached copy can be replaced/updated before 
  > expiration.  The CDN server will generally get at least one HEAD request 
  > for each vist, even if the cached copy for most or all of the actual 
  > library content is getting used in the end.

Thanks for the correction.  This tips the scales, I think.  So I think
that we should recommend people who export HTML host their own copy of
klipse.js _and likewise the other libraries that the generated output
uses_.

It would be good to set the defaults so as to presume that will be done.
But there is no need to eliminate the global variables that direct the
HTML exporter, so people who do exportation will be able to point to
Google's copy if they want to.

Bastien, what do you think of this?

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > Could you put some JS code into the page that would give the user
  > > a way to specify a different URL for klipse.js?  Perhaps that could
  > > be stored in a cookie or something else in the browser.

  > You could do that by rewriting the page into the form that is then 
  > ultimately displayed in the browser.  But I don't consider that a good 
  > solution as the user doesn't know what's going to happen before trying 
  > to use the file (and not at all if the respective cookie already exists, 
  > which the user might have forgotten about or has been dropped in from 
  > somewhere).

I don't follow the meaning of that text.  For instance, "rewriting the
page into the form that is then ultimately displayed..."  Could you
explain what sort of rewrite you mean?

The JS code I propose would indeed change the page -- but only in a
single detail, the URL for klipse.js.  That change hardly qualifies
as "rewriting".  So what "rewriting" is it?

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Achim Gratz]

Am 23.12.2016 um 17:18 schrieb Richard Stallman:
> I don't follow the meaning of that text.  For instance, "rewriting the
> page into the form that is then ultimately displayed..."  Could you
> explain what sort of rewrite you mean?
>
> The JS code I propose would indeed change the page -- but only in a
> single detail, the URL for klipse.js.  That change hardly qualifies
> as "rewriting".  So what "rewriting" is it?

You have to rewrite the DOM the browser sees before rendering the page 
(or at least before it renders the part that loads klipse.js).  Whether 
you replace the complete page or just a single node isn't much of a 
difference conceptually.  The original page would always need to be 
loaded at least partly, then check for the availability of local script 
files, decide on where to load them from, then render the modified page. 
  In order to be responsive, those decisions need to be made as early as 
possible, so it'd be a mistake to render much of the page before getting 
there.  You'd also have to ensure that the browser doesn't prefetch the 
server versions (i.e. because they are visible in the document before 
you get to remove them from the final DOM).


-- 
Achim.

(on the road :-)

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > You have to rewrite the DOM the browser sees before rendering the page 
  > (or at least before it renders the part that loads klipse.js).

"Rewrite" normally means making big changes, but I think you're
using it to mean "alter".

Indeed, my proposal would include altering the DOM.

  >   The original page would always need to be 
  > loaded at least partly, then check for the availability of local script 
  > files, decide on where to load them from, then render the modified page. 

That makes sense.

  >   In order to be responsive, those decisions need to be made as early as 
  > possible, so it'd be a mistake to render much of the page before getting 
  > there.

That makes sense.

	    You'd also have to ensure that the browser doesn't prefetch the 
  > server versions (i.e. because they are visible in the document before 
  > you get to remove them from the final DOM).

There is no reason for the initial HTML to refer to klipse.js at all.
Since that is a Javascript program, there is no point fetching it at
all unless Javascript is enabled.

If the URL for loading it is filled in by execution of other previous
JS code, there is no chance of prefetching klipse.js from anywhere.

So, is there any flaw in this plan?

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Condition to link to javascript code?

[Achim Gratz]

Am 24.12.2016 um 19:55 schrieb Richard Stallman:
> There is no reason for the initial HTML to refer to klipse.js at all.
> Since that is a Javascript program, there is no point fetching it at
> all unless Javascript is enabled.

The script name and the server address have to be recorded somewhere in 
the file unless I misunderstood what you are trying to do.

> If the URL for loading it is filled in by execution of other previous
> JS code, there is no chance of prefetching klipse.js from anywhere.

Browsers are quite good at prefetching stuff and some might do it 
speculatively, so I suspect that the ultimate URL for the script has to 
be obfuscated a bit so it's only put together when actually used.

> So, is there any flaw in this plan?

I think it should work if the prefetch can be safely prevented.  It's 
just quite a bit more involved and it would mean distributing multiple 
files to the user (unless klipse.js can be embedded, optionally of course).

-- 
Achim.

(on the road :-)

Re: Condition to link to javascript code?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > There is no reason for the initial HTML to refer to klipse.js at all.
  > > Since that is a Javascript program, there is no point fetching it at
  > > all unless Javascript is enabled.

  > The script name and the server address have to be recorded somewhere in 
  > the file unless I misunderstood what you are trying to do.

Yes, but they don't have to be included as a link
that would cause a browser to prefetch anything.

They can be included as strings, which get concatenated when used.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.