Re: Security concerns with minified javascript code

To: debian-devel@lists.debian.org
Subject: Re: Security concerns with minified javascript code
From: Didier 'OdyX' Raboud <odyx@debian.org>
Date: Tue, 01 Sep 2015 21:10:54 +0200
Message-id: <[🔎] 32027870.eszcDKyeSS@odyx.org>
In-reply-to: <[🔎] 87bndm87gd.fsf@zoro.exoscale.ch>
References: <m36140otnx.fsf@neo.luffy.cx> <[🔎] 87wpwai2ri.fsf@thinkpad.rath.org> <[🔎] 87bndm87gd.fsf@zoro.exoscale.ch>

Le mardi, 1 septembre 2015, 17.50:26 Vincent Bernat a écrit :
>  ❦  1 septembre 2015 08:21 -0700, Nikolaus Rath <Nikolaus@rath.org> :
> >>> Couldn't we just use the non-minified versions in most situations?
> >>> A
> >> 
> >> Not for anything which has actual users over the network.
> > 
> > Why? (Don't forget about gzip encoding).
> 
> See:
>  https://mathiasbynens.be/demo/jquery-size

What this tells us is that the size wins for the latest jquery version 
are the following :

* gzip only -> 29.7%
* zopfli only -> 28.1%
* minifying + gzip -> 11.9%
* minfying + zopfli -> 11.5%

So, taking this jquery example, if minifying is too hard, we can still 
go below 30% of the total size by applying gzip only.

That said…

We should not forget that "minified+gzipped JS" is only a temporary 
state of things. The web ecosystem moved from "ship the full JS source 
to users" (which was way easier in terms of software freedom) to 
"miinified JS". We're at the point where we debate whether this 
"minified JS" is valid source for us (technically, it is valid JS code, 
but not the preferred form of modification).

But the web ecosystem is moving towards WebAssembly [0,1], that will be 
"a portable, size- and load-time-efficient binary format" [2]. Where 
"minified JS" could be seen as source-code, WebAssembly will definitely 
not. If we accept the compromise to not run the compilation step from JS 
to "minified JS", will it be tenable to not run it either for 
_binaries_?

Although I'm concerned by this, I don't doubt much that WebAssembly (or 
any other binary format for the web) _will_ be coming to the web, our 
upstreams, and will become their preferred way to ship frontend code to 
their users. We'll have to deal with that, and we should get ourselves 
ready for that.

The current web compilation stack is arguably ugly, painful to maintain, 
and a big source of frustration, and I can therefore understand how 
maintainers end up not doing the compilation in the Debian package 
build; but really, if we don't do it now, what will happen with binary 
formats?

I think we should take a strong move there and exercise (as well as 
justify to the outer world) our free software right to recompile the 
software that we ship to our users: this could mean to only merge & gzip 
JS files if minifying isn't realistic [3]. Not doing so _is_ going to 
hurt our ability to exercise our freedoms in the future, it's also 
making a disservice to our users.

Cheers,
OdyX

[0] https://blog.mozilla.org/luke/2015/06/17/webassembly/
[1] https://github.com/WebAssembly
[2] https://github.com/WebAssembly/design/blob/master/HighLevelGoals.md
[3] Reducing to 29% instead of 12% might be the price of our freedom
    there…

Reply to:

Follow-Ups:
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

References:
- Re: Security concerns with minified javascript code
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: Security concerns with minified javascript code
  - From: Vincent Bernat <bernat@debian.org>

Prev by Date: Re: Polkit: prompt for root password
Next by Date: Re: Polkit: prompt for root password
Previous by thread: Re: Security concerns with minified javascript code
Next by thread: Re: Security concerns with minified javascript code
Index(es):
- Date
- Thread