Fossil SCM
Moved "Fossil Does Not Snoop On You" section of javascript.md down into a Q&A point.
Commit
b76427bb2082093fe8756db2ff68877c514a70dcc13b44465ac746214ea3160a
Parent
48ef633333c52ea…
1 file changed
+20
-21
+20
-21
| --- www/javascript.md | ||
| +++ www/javascript.md | ||
| @@ -66,26 +66,10 @@ | ||
| 66 | 66 | all of this; you can then override UBO’s stock rules as needed. |
| 67 | 67 | |
| 68 | 68 | [ns]: https://noscript.net/ |
| 69 | 69 | [ub]: https://github.com/gorhill/uBlock/ |
| 70 | 70 | |
| 71 | - | |
| 72 | -## <a id="snoop"></a>Fossil Does Not Snoop On You | |
| 73 | - | |
| 74 | -There is no tracking or other snooping technology in Fossil other than | |
| 75 | -that necessary for basic security, such as IP address logging on | |
| 76 | -check-ins. (This is in part why we have no [comprehensive user | |
| 77 | -statistics](#stats)!) | |
| 78 | - | |
| 79 | -Fossil attempts to set two cookies on all web clients: a login session | |
| 80 | -cookie and a display preferences cookie. These cookies are restricted to | |
| 81 | -the Fossil instance, so even this limited data cannot leak between | |
| 82 | -Fossil instances or into other web sites. | |
| 83 | - | |
| 84 | -There is some server-side event logging, but that is done entirely | |
| 85 | -without JavaScript, so it’s off-topic here. | |
| 86 | - | |
| 87 | 71 | |
| 88 | 72 | ## <a id="compat"></a>Compatibility Concerns |
| 89 | 73 | |
| 90 | 74 | The Fossil project’s developers aim to remain relatively compatible with |
| 91 | 75 | the largest portions of the client-side browser base. We use only |
| @@ -168,11 +152,26 @@ | ||
| 168 | 152 | Fossil and mechanisms like [skin editing][cskin] don’t suffice for your |
| 169 | 153 | purposes, you can hack on the JavaScript in your local instance |
| 170 | 154 | directly, just as you can hack on its C, SQL, and Tcl code. Fossil |
| 171 | 155 | is free and open source software, under [a single license][2cbsd]. |
| 172 | 156 | |
| 173 | -4. “**JavaScript is fundamentally insecure.**” | |
| 157 | +4. <a id="snoop"></a>”**JavaScript and cookiers are used to snoop on web users.**” | |
| 158 | + | |
| 159 | + There is no tracking or other snooping technology in Fossil other than | |
| 160 | + that necessary for basic security, such as IP address logging on | |
| 161 | + check-ins. (This is in part why we have no [comprehensive user | |
| 162 | + statistics](#stats)!) | |
| 163 | + | |
| 164 | + Fossil attempts to set two cookies on all web clients: a login session | |
| 165 | + cookie and a display preferences cookie. These cookies are restricted to | |
| 166 | + the Fossil instance, so even this limited data cannot leak between | |
| 167 | + Fossil instances or into other web sites. | |
| 168 | + | |
| 169 | + There is some server-side event logging, but that is done entirely | |
| 170 | + without JavaScript, so it’s off-topic here. | |
| 171 | + | |
| 172 | +5. “**JavaScript is fundamentally insecure.**” | |
| 174 | 173 | |
| 175 | 174 | JavaScript is historically associated with some nefarious uses, but |
| 176 | 175 | if we wish to have more features in Fossil, the alternative is to |
| 177 | 176 | add more C code to the Fossil binary, a language with *far more* |
| 178 | 177 | historical security problems associated with it. |
| @@ -205,20 +204,20 @@ | ||
| 205 | 204 | prohibits execution of JavaScript code which is delivered from |
| 206 | 205 | anywhere but the Fossil server which delivers the page. A local |
| 207 | 206 | administrator can change this CSP, but again this comes down to a |
| 208 | 207 | matter of trust with the administrator, not with Fossil itself. |
| 209 | 208 | |
| 210 | -5. “**Cross-browser compatibility is poor.**” | |
| 209 | +6. “**Cross-browser compatibility is poor.**” | |
| 211 | 210 | |
| 212 | 211 | It most certainly was in the first decade or so of JavaScript’s |
| 213 | 212 | lifetime, resulting in the creation of powerful libraries like |
| 214 | 213 | jQuery to patch over the incompatibilities. Over time, the need for |
| 215 | 214 | such libraries has dropped as browser vendors have fixed the |
| 216 | 215 | incompatibilities. Cross-browser JavaScript compatibility issues |
| 217 | 216 | which affect web developers are, by and large, a thing of the past. |
| 218 | 217 | |
| 219 | -6. “**Fossil UI works fine without JavaScript.**” | |
| 218 | +7. “**Fossil UI works fine without JavaScript.**” | |
| 220 | 219 | |
| 221 | 220 | While this is true today, and we have no philosophical objection to |
| 222 | 221 | it remaining true, we do not intend to limit ourselves to only those |
| 223 | 222 | features that can be created without JavaScript. The mere |
| 224 | 223 | availability of alternatives is not a good justification for holding |
| @@ -227,11 +226,11 @@ | ||
| 227 | 226 | The no-JS case is a [minority position](#stats), so those that want |
| 228 | 227 | Fossil to have no-JS alternatives and graceful fallbacks will need |
| 229 | 228 | to get involved with the development if they want this state of |
| 230 | 229 | affairs to continue. |
| 231 | 230 | |
| 232 | -7. <a id="stats"></a>“**A large number of users run without JavaScript enabled.**” | |
| 231 | +8. <a id="stats"></a>“**A large number of users run without JavaScript enabled.**” | |
| 233 | 232 | |
| 234 | 233 | That’s not what web audience measurements say: |
| 235 | 234 | |
| 236 | 235 | * [What percentage of browsers with javascript disabled?][s1] |
| 237 | 236 | * [How many people are missing out on JavaScript enhancement?][s2] |
| @@ -250,11 +249,11 @@ | ||
| 250 | 249 | run [powerful conditional blocking plugins](#block) in their |
| 251 | 250 | browsers, rather than block JavaScript entirely. We suspect that |
| 252 | 251 | between these two forces, the number of no-JS purists among Fossil’s |
| 253 | 252 | user base is still a tiny minority. |
| 254 | 253 | |
| 255 | -8. “**My browser doesn’t even *have* a JavaScript interpreter.**” | |
| 254 | +9. “**My browser doesn’t even *have* a JavaScript interpreter.**” | |
| 256 | 255 | |
| 257 | 256 | The Fossil open source project has no full-time developers, and only |
| 258 | 257 | a few of these part-timers are responsible for the bulk of the code |
| 259 | 258 | in Fossil. If you want Fossil to support such niche use cases, then |
| 260 | 259 | you will have to [get involved with its development][cg]; it’s |
| 261 | 260 |
| --- www/javascript.md | |
| +++ www/javascript.md | |
| @@ -66,26 +66,10 @@ | |
| 66 | all of this; you can then override UBO’s stock rules as needed. |
| 67 | |
| 68 | [ns]: https://noscript.net/ |
| 69 | [ub]: https://github.com/gorhill/uBlock/ |
| 70 | |
| 71 | |
| 72 | ## <a id="snoop"></a>Fossil Does Not Snoop On You |
| 73 | |
| 74 | There is no tracking or other snooping technology in Fossil other than |
| 75 | that necessary for basic security, such as IP address logging on |
| 76 | check-ins. (This is in part why we have no [comprehensive user |
| 77 | statistics](#stats)!) |
| 78 | |
| 79 | Fossil attempts to set two cookies on all web clients: a login session |
| 80 | cookie and a display preferences cookie. These cookies are restricted to |
| 81 | the Fossil instance, so even this limited data cannot leak between |
| 82 | Fossil instances or into other web sites. |
| 83 | |
| 84 | There is some server-side event logging, but that is done entirely |
| 85 | without JavaScript, so it’s off-topic here. |
| 86 | |
| 87 | |
| 88 | ## <a id="compat"></a>Compatibility Concerns |
| 89 | |
| 90 | The Fossil project’s developers aim to remain relatively compatible with |
| 91 | the largest portions of the client-side browser base. We use only |
| @@ -168,11 +152,26 @@ | |
| 168 | Fossil and mechanisms like [skin editing][cskin] don’t suffice for your |
| 169 | purposes, you can hack on the JavaScript in your local instance |
| 170 | directly, just as you can hack on its C, SQL, and Tcl code. Fossil |
| 171 | is free and open source software, under [a single license][2cbsd]. |
| 172 | |
| 173 | 4. “**JavaScript is fundamentally insecure.**” |
| 174 | |
| 175 | JavaScript is historically associated with some nefarious uses, but |
| 176 | if we wish to have more features in Fossil, the alternative is to |
| 177 | add more C code to the Fossil binary, a language with *far more* |
| 178 | historical security problems associated with it. |
| @@ -205,20 +204,20 @@ | |
| 205 | prohibits execution of JavaScript code which is delivered from |
| 206 | anywhere but the Fossil server which delivers the page. A local |
| 207 | administrator can change this CSP, but again this comes down to a |
| 208 | matter of trust with the administrator, not with Fossil itself. |
| 209 | |
| 210 | 5. “**Cross-browser compatibility is poor.**” |
| 211 | |
| 212 | It most certainly was in the first decade or so of JavaScript’s |
| 213 | lifetime, resulting in the creation of powerful libraries like |
| 214 | jQuery to patch over the incompatibilities. Over time, the need for |
| 215 | such libraries has dropped as browser vendors have fixed the |
| 216 | incompatibilities. Cross-browser JavaScript compatibility issues |
| 217 | which affect web developers are, by and large, a thing of the past. |
| 218 | |
| 219 | 6. “**Fossil UI works fine without JavaScript.**” |
| 220 | |
| 221 | While this is true today, and we have no philosophical objection to |
| 222 | it remaining true, we do not intend to limit ourselves to only those |
| 223 | features that can be created without JavaScript. The mere |
| 224 | availability of alternatives is not a good justification for holding |
| @@ -227,11 +226,11 @@ | |
| 227 | The no-JS case is a [minority position](#stats), so those that want |
| 228 | Fossil to have no-JS alternatives and graceful fallbacks will need |
| 229 | to get involved with the development if they want this state of |
| 230 | affairs to continue. |
| 231 | |
| 232 | 7. <a id="stats"></a>“**A large number of users run without JavaScript enabled.**” |
| 233 | |
| 234 | That’s not what web audience measurements say: |
| 235 | |
| 236 | * [What percentage of browsers with javascript disabled?][s1] |
| 237 | * [How many people are missing out on JavaScript enhancement?][s2] |
| @@ -250,11 +249,11 @@ | |
| 250 | run [powerful conditional blocking plugins](#block) in their |
| 251 | browsers, rather than block JavaScript entirely. We suspect that |
| 252 | between these two forces, the number of no-JS purists among Fossil’s |
| 253 | user base is still a tiny minority. |
| 254 | |
| 255 | 8. “**My browser doesn’t even *have* a JavaScript interpreter.**” |
| 256 | |
| 257 | The Fossil open source project has no full-time developers, and only |
| 258 | a few of these part-timers are responsible for the bulk of the code |
| 259 | in Fossil. If you want Fossil to support such niche use cases, then |
| 260 | you will have to [get involved with its development][cg]; it’s |
| 261 |
| --- www/javascript.md | |
| +++ www/javascript.md | |
| @@ -66,26 +66,10 @@ | |
| 66 | all of this; you can then override UBO’s stock rules as needed. |
| 67 | |
| 68 | [ns]: https://noscript.net/ |
| 69 | [ub]: https://github.com/gorhill/uBlock/ |
| 70 | |
| 71 | |
| 72 | ## <a id="compat"></a>Compatibility Concerns |
| 73 | |
| 74 | The Fossil project’s developers aim to remain relatively compatible with |
| 75 | the largest portions of the client-side browser base. We use only |
| @@ -168,11 +152,26 @@ | |
| 152 | Fossil and mechanisms like [skin editing][cskin] don’t suffice for your |
| 153 | purposes, you can hack on the JavaScript in your local instance |
| 154 | directly, just as you can hack on its C, SQL, and Tcl code. Fossil |
| 155 | is free and open source software, under [a single license][2cbsd]. |
| 156 | |
| 157 | 4. <a id="snoop"></a>”**JavaScript and cookiers are used to snoop on web users.**” |
| 158 | |
| 159 | There is no tracking or other snooping technology in Fossil other than |
| 160 | that necessary for basic security, such as IP address logging on |
| 161 | check-ins. (This is in part why we have no [comprehensive user |
| 162 | statistics](#stats)!) |
| 163 | |
| 164 | Fossil attempts to set two cookies on all web clients: a login session |
| 165 | cookie and a display preferences cookie. These cookies are restricted to |
| 166 | the Fossil instance, so even this limited data cannot leak between |
| 167 | Fossil instances or into other web sites. |
| 168 | |
| 169 | There is some server-side event logging, but that is done entirely |
| 170 | without JavaScript, so it’s off-topic here. |
| 171 | |
| 172 | 5. “**JavaScript is fundamentally insecure.**” |
| 173 | |
| 174 | JavaScript is historically associated with some nefarious uses, but |
| 175 | if we wish to have more features in Fossil, the alternative is to |
| 176 | add more C code to the Fossil binary, a language with *far more* |
| 177 | historical security problems associated with it. |
| @@ -205,20 +204,20 @@ | |
| 204 | prohibits execution of JavaScript code which is delivered from |
| 205 | anywhere but the Fossil server which delivers the page. A local |
| 206 | administrator can change this CSP, but again this comes down to a |
| 207 | matter of trust with the administrator, not with Fossil itself. |
| 208 | |
| 209 | 6. “**Cross-browser compatibility is poor.**” |
| 210 | |
| 211 | It most certainly was in the first decade or so of JavaScript’s |
| 212 | lifetime, resulting in the creation of powerful libraries like |
| 213 | jQuery to patch over the incompatibilities. Over time, the need for |
| 214 | such libraries has dropped as browser vendors have fixed the |
| 215 | incompatibilities. Cross-browser JavaScript compatibility issues |
| 216 | which affect web developers are, by and large, a thing of the past. |
| 217 | |
| 218 | 7. “**Fossil UI works fine without JavaScript.**” |
| 219 | |
| 220 | While this is true today, and we have no philosophical objection to |
| 221 | it remaining true, we do not intend to limit ourselves to only those |
| 222 | features that can be created without JavaScript. The mere |
| 223 | availability of alternatives is not a good justification for holding |
| @@ -227,11 +226,11 @@ | |
| 226 | The no-JS case is a [minority position](#stats), so those that want |
| 227 | Fossil to have no-JS alternatives and graceful fallbacks will need |
| 228 | to get involved with the development if they want this state of |
| 229 | affairs to continue. |
| 230 | |
| 231 | 8. <a id="stats"></a>“**A large number of users run without JavaScript enabled.**” |
| 232 | |
| 233 | That’s not what web audience measurements say: |
| 234 | |
| 235 | * [What percentage of browsers with javascript disabled?][s1] |
| 236 | * [How many people are missing out on JavaScript enhancement?][s2] |
| @@ -250,11 +249,11 @@ | |
| 249 | run [powerful conditional blocking plugins](#block) in their |
| 250 | browsers, rather than block JavaScript entirely. We suspect that |
| 251 | between these two forces, the number of no-JS purists among Fossil’s |
| 252 | user base is still a tiny minority. |
| 253 | |
| 254 | 9. “**My browser doesn’t even *have* a JavaScript interpreter.**” |
| 255 | |
| 256 | The Fossil open source project has no full-time developers, and only |
| 257 | a few of these part-timers are responsible for the bulk of the code |
| 258 | in Fossil. If you want Fossil to support such niche use cases, then |
| 259 | you will have to [get involved with its development][cg]; it’s |
| 260 |