Support "safe" js libraries

[pointhi]

I'm mainly thinking about frameworks like bootstrap, which require js for some types of menues and other graphic elements. Those scripts are often controlled using css classes, which means execution of website specific code is not required to use them.

If morty can detect uses of them, it can deliver a (sanitized) version of the specific library to improve usability of proxied websites without running unsave/untrusted code on the browser.

[asciimoo]

Hard to find methods which ensure zero data leakage. Maybe whitelisting by checksums of safe libs, but it isn't a general solution at all.. Proper solution would be a javascript sanitizer - or at least a "javascript safeness evaluator" tool.

[pointhi]

Sanitizing js is quite a challenge and would need a complete js parser or very carefull whitelisting: https://en.m.wikipedia.org/wiki/JSFuck

A very easy (but not broadly used) system which could be used to check for known sources would be using https://www.w3.org/TR/SRI/ as well as parsing known filenames and urls pointing to a CDN

[dalf]

See LibreJS.

There is javascript lexer : http://git.savannah.gnu.org/cgit/librejs.git/tree/data/chrome_worker/parser/jslex.js

And list of hash : http://git.savannah.gnu.org/cgit/librejs.git/tree/data/script_libraries/script-libraries.json

[dalf]

A javascript parser / interpreter for golang : https://github.com/robertkrimen/otto/tree/master/parser

[josch]

Or morty could do server-side what browser plugins like https://github.com/Synzvato/decentraleyes do client-side. I.e, morty could return its own copy of well known javascript libraries which are known to be "safe" just by evaluating the script URL. Most websites just refer to well known locations for javascript libraries served by a handful of content delivery networks. If such libraries are included, morty could ship its own local version instead.