I recently got a message from a webmaster who had no idea their website got their visitors' web browsers to run third-party Javascript from Goggle domains. This is how out of control JS has got. It's time for browser makers to make JS opt-in, so that people who serve it have to justify what it does and why users ought to let it run on their computers. Like they've done with addons, after all JS is just any uglier hack for temporarily adding code to the browser.

@strypey

As someone who writes web apps in Elm, I disagree. My apps show nothing but a “turn on JavaScript” warning without JS. Pleroma is even worse. It displays nothing without JS. Here’s the home page HTML for impeccable.social:

<html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no"><title> Impeccable</title><!--server-generated-meta--><link rel="icon" type="image/png" href="/favicon.png"><link rel="stylesheet" href="/static/font/css/fontello.css"><link rel="stylesheet" href="/static/font/css/animation.css"><link href="/static/css/vendors~app.b2603a50868c68a1c192.css" rel="stylesheet"><link href="/static/css/app.db80066bde2c96ea6198.css" rel="stylesheet"></head><body style="display: none"><div id="app"></div><script type="text/javascript" src="/static/js/vendors~app.4b7be53256fba5c365c9.js"></script><script type="text/javascript" src="/static/js/app.670c36c0acc42fadb4fe.js"></script></body></html>

@billstclair
> My apps show nothing but a “turn on JavaScript” warning without JS.

Why? This is graceless degradation for one thing. I don't see why anyone thinks they're entitled to run programs on other people's computers without opt-in consent. How about you design it to serve an HTML/CSS web page when people visit it in their web browser with JS turned off or blocked, explaining what JS allows the app to do, and asking them to please turn it on? needs to do that to, has.

@strypey

Because my web apps rely on JavaScript to do ANYTHING. That's their nature.

Yes, I could do that computation on my server, but that focuses all the compute time where I have to pay for it, whereas the amount of CPU my apps require per user is tiny, compared to the vast unused power of a modern PC.

Also, modern virtual DOM technology allows a webapp to look and feel just like a regular application. I know of no way to do that with all the computation on the server.

I'd rather get new things done than do everything twice, once on the server and once in JS in the browser, with the inevitable differences between the two to constantly fix.

JS is mature technology, with good sandboxing. Yes, it enables ad tracking, as do cookies, but you can already turn those off in your browser if you don't like them. Good browsers, like Brave, allow scripts to be enabled per site.

My first couple of blogging systems used user input, in a few different formats, to create static HTML web pages. Loads fast, but all the boilerplate is duplicated, over and over.

My most recent, still unfinished blogging system (which will likely remain unfinished due to social media largely taking over the microblogging space), goes to the other extreme, stores static page representations on the server, and does the rendering in the browser.

I've drunk the Kool-Aid, and no longer see any reason to resist running JS, for web sites I create, and in web sites I browse. It's everywhere. You're blowing into the wind.

@billstclair @strypey

you may trust everyone on the internet to execute arbitrary code on your machine, but i find that attitude extremely foolish. javascript has sandboxing, yes, but i wouldn’t trust a sandbox that is regularly broken at a yearly event. Pwn2Own has been running for years and they’ve managed to break the web sandboxes every time.

http://web.archive.org/web/20190401050229/https://www.thezdi.com/blog/2019/3/20/pwn2own-vancouver-2019-the-schedule-and-live-results

@xj9 even if I trusted everyone serving JS from a website to have good intentions, the fact is, if I don't use a script blocker my browser routinely fills up my RAM, locks up my desktop, sometimes even crashes the whole userland forcing me to reboot. Most of the people re-using blobs of JS in their web designs have no idea what they're serving. Sometimes even people you'd expect to know better.
@billstclair

@strypey @xj9

Weird. I see occasional lockups, in some browsers, but usually not. And NEVER one that I can't fix by force quitting the browser. Of course, I run ad blockers everywhere, a more targeted hammer than turning off all scripts.

I'd suggest that you investigate your JS implementation, but there are only a few of those out there, and they're used by millions, so unlikely to have memory leaks themselves.
Follow

@billstclair
> run ad blockers everywhere

So do I, but this doesn't catch stuff that is non-commercial but just wasteful of RAM, because JS devs get to outsource the RAM overhead to clients. When you've got people deploying stuff like Wordpress themes, which they don't even know are serving scripts from third-party domains, it doesn't take too many open tabs for RAM to start getting dangerously full.

> your JS implementation

... is Firefox.

@xj9
@alcinnz

Sign in to participate in the conversation
Mastodon - NZOSS

This Mastodon instance is provided gratis by the NZ Open Source Society for the benefit of everyone interested in their own freedom and sharing with others. Hosting is generously provided by Catalyst Cloud right here in Aotearoa New Zealand.