Hello, I am concerned about the Spectre and Meltdown vulnerabilities and the possibility for mischief they create for JavaScript coming from websites. So I am browsing the web with JS completely disabled. Still I have been looking for a way to use maps without JS. My question is: How can I use OpenStreetMap without having to download and execute any JavaScript from external hosts? (I use a Linux system) Maybe there is some FOSS application which uses an HTTP API to OpenStreetMap (or anything along these lines)? asked 07 Mar '18, 16:57 t33rex aseerel4c26 ♦ |
Can you use the OpenStreetMap-provided web site without Javascript? No, not really. Can you make your own web site that displays an OSM map without Javascript? Absolutely! Since the map tiles are just PNG images, it is easy enough to write, say, a PHP application that generates a map view consisting of a series of "IMG" tags arranged in a table or properly CSS styled. You would not be able to grab the map with the mouse and move it - you'd have to click little left/right/up/down buttons on the margins of the map etc. - but it is definitely possible. answered 07 Mar '18, 18:21 Frederik Ramm ♦ |
As you already noticed nearly everything is possible with OSM - because our raw data is free. If you like to just view the standard OSM map you could use a local application which shows the tiles. If you use a Linux PC: You can misuse our top editor https://wiki.openstreetmap.org/wiki/JOSM for that (just do two clicks and display the OSM Carto map as background layer; hey, and maybe you even like to contribute to OSM ...). JOSM is FOSS and written in Java. However, if you would like to inspect the code there are surely muuuuch more lightweight software which just displays a pre-made map. See https://wiki.openstreetmap.org/wiki/Software/Desktop . answered 07 Mar '18, 21:51 aseerel4c26 ♦ Thanks for the links. The last one is particularly interesting. I actually have KDE Marble installed and I gave it a try. However nothing makes it obvious whether it or any of the other programs in the desktop software list downloads and executes any external JS. For marble in particular I asked in the KDE forums but still no clear reply. Do you have any idea about all that?
(07 Mar '18, 22:36)
t33rex
@t33rex: no, sorry, I do not know about that marble fact. I would have guessed that it is abandoned (because I used it years ago) but development seems to be living. :-)
(08 Mar '18, 19:29)
aseerel4c26 ♦
@t33rex (at the risk of wandering off topic) why the concern about particular JavaScript executed by Marble and not any other of the rest of the code?
(08 Mar '18, 19:58)
SomeoneElse ♦
Because 1) I have Marble installed and 2) executing JS downloaded from external hosts is in no way different from downloading and executing any other random program. It is a very easy way to sneak in some malware through that which would not be a big problem if side channel CPU bugs didn't exist. But they do exist and now everyone knows about them and more people will start exploiting them. Of course it is possible malicious code to be inserted in the local program (e.g. Marble) itself but the probability for that is much lower. It needs to be a specially designed spyware which will surely get the eyes of the community watching the program code. So although it is never an absolute trust, still the probability is much lower. Just like it is more unlikely to see malware in FOSS than in proprietary software.
(08 Mar '18, 22:36)
t33rex
|
One option is not to browse the web. Have your own map server local to you, serving map tiles via a website that you have complete control over, using JavaScript that you have inspected every line of. Well, or only fetching the tiles (png images) from online, but hosting the HTML and JavaScript (e.g. Leaflet or openlayers) bits locally. No need for a map server.
permanent link
This answer is marked "community wiki".
answered 07 Mar '18, 17:02 SomeoneElse ♦ aseerel4c26 ♦ ... in fact here's one I made earlier that does exactly that. Just have "leaflet_dist" locally adjacent to the rest of the website.
(07 Mar '18, 22:50)
SomeoneElse ♦
... simply locally saving the http://leafletjs.com/examples/quick-start/ example is also an easy start.
(07 Mar '18, 23:04)
aseerel4c26 ♦
|
Did you think of selectively allowing JavaScript just for specific sites? E.g. uMatrix gives you very granular control.
Note that you can reduce the risk of Spectre by viewing each website in a separate browser process.
In the rare cases in which I enable JS for sites which don't work without it, I do it in an incognito window with all other programs stopped and clipboard contents cleared. In Chromium I also have enabled: chrome://flags/#enable-site-per-process
But even this simulation of "single tasking" is not enough because shutting down a program doesn't clear the RAM contents which it used. Unfortunately this very site is forcing me to enable JS (from google.com and googleapis.com) and I cannot add comments without unblocking those in uMatrics. This is quite unfortunate and I don't see why this was chosen for a message board for a program supposedly respecting user freedom.
@t33rex: regarding this site: yes, we (all, more or maybe less) know that issues, but we are (nearly - one employee) a volunteer-only project... I dislike that external google library, too. If you can, you are very welcome to help, see over there "technical details". Note that there are other contact channels which may suit you more..
Have you see my implementation of a php mapping solution at: http://map.netzgesta.de It works without any Javascript. Contact me if you want to know more.