[dmix]

If your concern is the security of 3rd party JS you should already be using NoSript/ScriptSafe [1]. Keep same-domain policy as safe and 3rd party domains blocked and opt-in only by default.

The day-to-day UX experience of browsing the web is only minimally affected and significantly safer.

Better than adblock.

If your concern is the host operator, well obv can't circumvent that. Unless you use OSS chrome plugins and client code verifications (ala CryptoCat). But that's also an imperfect solution (cue tptacek).

[1] https://chrome.google.com/webstore/detail/scriptsafe/oiigbmn...

[mike-cardwell]

I already use RequestPolicy and NoScript.

My concern was that he made the security/privacy worse than it needed to be, for other people, by including Google Analytics on the page.

He has now stated that he's seen that the room name is in fact being leaked to Google Analytics, and so has removed it. But even if he hadn't seen this, you still shouldn't include any third party hosted scripts on pages like these because you've no idea if/when they'll change in a manner which compromises security/privacy in future. No malicious intent required.

[sillysaurus2]

If your concern is the host operator, well obv can't circumvent that.

Of course we can circumvent that. Make a plugin to alert the user whenever the JS changes.

[voltagex_]

What do you base your initial known good JS on though? What is the user supposed to do with the information that the JS has changed? A diff of minified JS isn't that helpful.

[sillysaurus2]

The author would say "the current version is 0.6.4 and its JS hashes to this SHA256 hash: xxx"

Open source already does this for binaries. Why not JS?

This assumes it's even possible to get a consistent hash of all javascript executing on a page, though.

[mike-cardwell]

Script on a site like this should not be minified. It should be easily readable and well commented, so that people can audit it properly.