Presenting Simple Web Policy
For a while now I’ve been using the NoScript addon to Firefox and I have become a happier person, mostly. As I default to blocking scripts, sites load faster without compromising usability.
No, they don’t.
I believe that NoScript is not enough. A major drawback of the addon is how it only allows me to block and unblock domains or – in more sophisticated cases, such as CloudFront – particular subdomains. What it means is that if I were to identify malicious or unwanted code hosted alongside scripts that the website’s usability suffers terribly without, I wouldn’t be able to lock out the bad code without ruining the whole experience.
I want precise control over what my computer executes. I would like to see the code beforehand and approve or reject it. And in the event that I rejected a something that another script on the site depends on – a library, such as jQuery – the browser should gracefully disable the depending script too.
This is what Simple Web Policy is meant to be about. I would like to create a set of addons for popular web browsers requiring review of code before running it. I also seek to define a way for the developer to define relations between scripts and provide basic user-friendly hints for those who want to read the scripts.
Obviously, the mountain of JS has become so big that the task of reviewing all the code is a task far too tiring for one person. But judging from the example of me and my friends, noscripters tend to stick close. That’s why I consider it a good idea for users to be able to sign scripts (or they checksums/hashes, for sanity and storage) and share the signatures. Such system could also be extended with user-generated tags working in a similar manner to the developers’ hints I mentioned earlier. Then it could benefit from community sharing information.
Important to the proposal is the call for modularity. Instead of concatenating multiple scripts into one huge file, we should keep them apart to have better choices and, for example that will be shown later, to be able to drop libraries we don’t need along with the code that depends on them.
Sadly, my proposal is not a silver bullet. There are many issues arising from the concept, and I’ll pinpoint the ones I saw as most important:
- There may be ethical issues regarding the concept of replacing somebody’s code. Recently, we’ve seen a DMCA request used to remove a website from ad blocking list, because allegedly/apparently blocking some code on your computer is a copyright infringement. And I suppose there are people other than ad providers who wouldn’t be happy seeing people replace their own code without asking.
- Finally, this does not solve the problems of news industry and many others. Advertisements will still be hated, whether or not the publishers mark them up or not. Ad blockers will still exist, I guess. And also, I don’t want to kill ads, I think I’d like to keep some ads while shaking them all up a bit, but I don’t know for sure.
Initial syntax idea
I’ve been considering how to integrate my ideas into HTML and this is what I’ve come up with so far.
<script />elements – for developer-provided comma-separated hints on what the script is. Suggested value ideas:
usability(for important scripts that the site doesn’t work much without?),
utility(for not as critical, but still useful scripts).
<script />elements – for developer-provided human-readable explanation behind using the script.
<script />elements – comma-separated list of CSS selectors that link to other scripts present in the document that are required to run this script.
Let’s consider this case.
<script id="jquery" src="jquery.min.js" simpleweb:reason="library"></script> <script src="coolscriptfromtehinternet.js" simpleweb:reason="cosmetic" simpleweb:description="nice rounded squares, dunno" simpleweb:dependencies="#jquery"></script>
We know that jQuery here is a library that is needed by the other script, which is a cosmetic script that, perhaps, is something we’re not interested in. We should be able to create a set of rules that would disable all cosmetic scripts and all libraries orphaned by them.
TODO: expand example
I’d love to hear your feedback on this through whichever way you prefer out of ones listed on my website. Thank you for reading.