Follow

I recently got a message from a webmaster who had no idea their website got their visitors' web browsers to run third-party Javascript from Goggle domains. This is how out of control JS has got. It's time for browser makers to make JS opt-in, so that people who serve it have to justify what it does and why users ought to let it run on their computers. Like they've done with addons, after all JS is just any uglier hack for temporarily adding code to the browser.

@strypey

As someone who writes web apps in Elm, I disagree. My apps show nothing but a “turn on JavaScript” warning without JS. Pleroma is even worse. It displays nothing without JS. Here’s the home page HTML for impeccable.social:

<html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no"><title> Impeccable</title><!--server-generated-meta--><link rel="icon" type="image/png" href="/favicon.png"><link rel="stylesheet" href="/static/font/css/fontello.css"><link rel="stylesheet" href="/static/font/css/animation.css"><link href="/static/css/vendors~app.b2603a50868c68a1c192.css" rel="stylesheet"><link href="/static/css/app.db80066bde2c96ea6198.css" rel="stylesheet"></head><body style="display: none"><div id="app"></div><script type="text/javascript" src="/static/js/vendors~app.4b7be53256fba5c365c9.js"></script><script type="text/javascript" src="/static/js/app.670c36c0acc42fadb4fe.js"></script></body></html>

@billstclair
> My apps show nothing but a “turn on JavaScript” warning without JS.

Why? This is graceless degradation for one thing. I don't see why anyone thinks they're entitled to run programs on other people's computers without opt-in consent. How about you design it to serve an HTML/CSS web page when people visit it in their web browser with JS turned off or blocked, explaining what JS allows the app to do, and asking them to please turn it on? needs to do that to, has.

@strypey

Because my web apps rely on JavaScript to do ANYTHING. That's their nature.

Yes, I could do that computation on my server, but that focuses all the compute time where I have to pay for it, whereas the amount of CPU my apps require per user is tiny, compared to the vast unused power of a modern PC.

Also, modern virtual DOM technology allows a webapp to look and feel just like a regular application. I know of no way to do that with all the computation on the server.

I'd rather get new things done than do everything twice, once on the server and once in JS in the browser, with the inevitable differences between the two to constantly fix.

JS is mature technology, with good sandboxing. Yes, it enables ad tracking, as do cookies, but you can already turn those off in your browser if you don't like them. Good browsers, like Brave, allow scripts to be enabled per site.

My first couple of blogging systems used user input, in a few different formats, to create static HTML web pages. Loads fast, but all the boilerplate is duplicated, over and over.

My most recent, still unfinished blogging system (which will likely remain unfinished due to social media largely taking over the microblogging space), goes to the other extreme, stores static page representations on the server, and does the rendering in the browser.

I've drunk the Kool-Aid, and no longer see any reason to resist running JS, for web sites I create, and in web sites I browse. It's everywhere. You're blowing into the wind.

Long post 

@billstclair @strypey

you may trust everyone on the internet to execute arbitrary code on your machine, but i find that attitude extremely foolish. javascript has sandboxing, yes, but i wouldn’t trust a sandbox that is regularly broken at a yearly event. Pwn2Own has been running for years and they’ve managed to break the web sandboxes every time.

http://web.archive.org/web/20190401050229/https://www.thezdi.com/blog/2019/3/20/pwn2own-vancouver-2019-the-schedule-and-live-results

@xj9 even if I trusted everyone serving JS from a website to have good intentions, the fact is, if I don't use a script blocker my browser routinely fills up my RAM, locks up my desktop, sometimes even crashes the whole userland forcing me to reboot. Most of the people re-using blobs of JS in their web designs have no idea what they're serving. Sometimes even people you'd expect to know better.
@billstclair

@strypey @xj9

Weird. I see occasional lockups, in some browsers, but usually not. And NEVER one that I can't fix by force quitting the browser. Of course, I run ad blockers everywhere, a more targeted hammer than turning off all scripts.

I'd suggest that you investigate your JS implementation, but there are only a few of those out there, and they're used by millions, so unlikely to have memory leaks themselves.
@billstclair @strypey

> adblock is a more targeted hammer

i whitelist javascript origins once i've determined that they are trustworthy. you don't get +x on my system without some review. just common sense from a security perspective. i actually don't use adblock in my browser. i have hosts zero for that. combined with no script, i have a nice ad and tracker free web experience with minimal risk from zero days.

@billstclair
> run ad blockers everywhere

So do I, but this doesn't catch stuff that is non-commercial but just wasteful of RAM, because JS devs get to outsource the RAM overhead to clients. When you've got people deploying stuff like Wordpress themes, which they don't even know are serving scripts from third-party domains, it doesn't take too many open tabs for RAM to start getting dangerously full.

> your JS implementation

... is Firefox.

@xj9
@alcinnz

@strypey @billstclair

javascript uses way more ram than it has any right to, honestly. i have a hefty dev computer that still gets low on RAM if i have too many web apps open. (i use chrome and firefox for work) i can't even use most websites on my netbook (pinebook) because i don't have enough RAM to spare for all of the JIT nonsense.

@xj9 @billstclair @strypey Plus what with Spectre and family, it's a very bad time to put much faith into a sandbox.

Though I would say if we are going to insist on continuing to run sandboxed programs on the client, Elm would be simpler language to sandbox than JavaScript. I'm going to make that argument in detail eventually.

@alcinnz @strypey @xj9

Elm is certainly easier to sandbox, though convincing any appreciable fraction of the web development community to move to it will be a hard sell.

JS ain't going nowhere. Neither is Windows. Huge business investments in both, with only a tiny fraction of their markets caring about anything but that it mostly works.

@billstclair @strypey @xj9 Unfortunately, but hopefully we can gradually make it less prevelant. So it's more feasable to disable JavaScript by default.

@alcinnz yes! This is exactly why my push is to make JS *optional*, not extinct. I'm sure like every language it has legitimate uses. But when websites use JS to do what HTML/CSS could do with a fraction of the resource use, and refuse to offer graceful degradation, I find that as irritating as HTML email with no plaintext option.
@billstclair @xj9

@billstclair

> JS is mature technology, with good sandboxing.

🤣 🤣 🤣 🤣 🤣

bugzilla.mozilla.org/show_bug.

> JS ain't going nowhere.

Yeah!

Like the divine right of #Kings!
And what about the #Pharaoh?

I'm amused (not) about the total lack of historical perspective of so many #US programmers.

Guys, if you can't see how primitive is our discipline, you'll always be a good, nice and clean #slave.

@strypey @alcinnz @xj9

@Shamar @xj9 @alcinnz @strypey

“I’m amused (not) about the total lack of historical perspective of so many #US programmers.”

Old problem. We lispers fixed it long ago, and functional languages have done even better, but the New Jersey Approach beat the MIT Approach in the marketplace. I wish it weren’t so (said the MIT graduate who writes Lisp for a living).

I am reminded of Richard Gabriel’s classic, “ Lisp: Good News, Bad News, How to Win Big”.

https://www.dreamsongs.com/WIB.html

@billstclair

Not sure if I understood what you mean, actually. 😕

But, to be clear, I think that we should move beyond this dichotomy.

#WorseIsBetter is collapsing anyway due to the curse of #Frankenstein.

But the future won't be "the right thing".

The future will be #simplicity.
Simplex sigillum veri.

jehanne.io/2018/11/15/simplici

@strypey @alcinnz @xj9

@billstclair
absolutely, this "Linux" thing will never fly. Most servers will always run on Windows ... oh wait 😏 Also GNU/Linux may not have replaced Windows on the desktop, but more people work in browsers than desktops anyway (Firefox and Chromium derivations dominate browser space), and the vast majority of new computers are mobiles, where Android/Linux and iThing/BSD kicked Windows' arse. TV companies and MySpace will tell you incumbent advantage only gets you so far.
@alcinnz @xj9

@billstclair @strypey He is talking about Websites, you are talking about Webapps. If your Websites behave like Webapps, then I disagree with your approach.

Webapps should be authorized to run beforehand, just like any app.

Websites should not be authorized to be rendered... *rendered*, not executed.

Sign in to participate in the conversation
Mastodon - NZOSS

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!