I recently got a message from a webmaster who had no idea their website got their visitors' web browsers to run third-party Javascript from Goggle domains. This is how out of control JS has got. It's time for browser makers to make JS opt-in, so that people who serve it have to justify what it does and why users ought to let it run on their computers. Like they've done with addons, after all JS is just any uglier hack for temporarily adding code to the browser.

@strypey

As someone who writes web apps in Elm, I disagree. My apps show nothing but a “turn on JavaScript” warning without JS. Pleroma is even worse. It displays nothing without JS. Here’s the home page HTML for impeccable.social:

<html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no"><title> Impeccable</title><!--server-generated-meta--><link rel="icon" type="image/png" href="/favicon.png"><link rel="stylesheet" href="/static/font/css/fontello.css"><link rel="stylesheet" href="/static/font/css/animation.css"><link href="/static/css/vendors~app.b2603a50868c68a1c192.css" rel="stylesheet"><link href="/static/css/app.db80066bde2c96ea6198.css" rel="stylesheet"></head><body style="display: none"><div id="app"></div><script type="text/javascript" src="/static/js/vendors~app.4b7be53256fba5c365c9.js"></script><script type="text/javascript" src="/static/js/app.670c36c0acc42fadb4fe.js"></script></body></html>

@billstclair
> My apps show nothing but a “turn on JavaScript” warning without JS.

Why? This is graceless degradation for one thing. I don't see why anyone thinks they're entitled to run programs on other people's computers without opt-in consent. How about you design it to serve an HTML/CSS web page when people visit it in their web browser with JS turned off or blocked, explaining what JS allows the app to do, and asking them to please turn it on? needs to do that to, has.

@strypey

Because my web apps rely on JavaScript to do ANYTHING. That's their nature.

Yes, I could do that computation on my server, but that focuses all the compute time where I have to pay for it, whereas the amount of CPU my apps require per user is tiny, compared to the vast unused power of a modern PC.

Also, modern virtual DOM technology allows a webapp to look and feel just like a regular application. I know of no way to do that with all the computation on the server.

I'd rather get new things done than do everything twice, once on the server and once in JS in the browser, with the inevitable differences between the two to constantly fix.

JS is mature technology, with good sandboxing. Yes, it enables ad tracking, as do cookies, but you can already turn those off in your browser if you don't like them. Good browsers, like Brave, allow scripts to be enabled per site.

My first couple of blogging systems used user input, in a few different formats, to create static HTML web pages. Loads fast, but all the boilerplate is duplicated, over and over.

My most recent, still unfinished blogging system (which will likely remain unfinished due to social media largely taking over the microblogging space), goes to the other extreme, stores static page representations on the server, and does the rendering in the browser.

I've drunk the Kool-Aid, and no longer see any reason to resist running JS, for web sites I create, and in web sites I browse. It's everywhere. You're blowing into the wind.

@billstclair @strypey

you may trust everyone on the internet to execute arbitrary code on your machine, but i find that attitude extremely foolish. javascript has sandboxing, yes, but i wouldn’t trust a sandbox that is regularly broken at a yearly event. Pwn2Own has been running for years and they’ve managed to break the web sandboxes every time.

http://web.archive.org/web/20190401050229/https://www.thezdi.com/blog/2019/3/20/pwn2own-vancouver-2019-the-schedule-and-live-results

@xj9 @billstclair @strypey Plus what with Spectre and family, it's a very bad time to put much faith into a sandbox.

Though I would say if we are going to insist on continuing to run sandboxed programs on the client, Elm would be simpler language to sandbox than JavaScript. I'm going to make that argument in detail eventually.

@alcinnz @strypey @xj9

Elm is certainly easier to sandbox, though convincing any appreciable fraction of the web development community to move to it will be a hard sell.

JS ain't going nowhere. Neither is Windows. Huge business investments in both, with only a tiny fraction of their markets caring about anything but that it mostly works.
Follow

@billstclair
absolutely, this "Linux" thing will never fly. Most servers will always run on Windows ... oh wait 😏 Also GNU/Linux may not have replaced Windows on the desktop, but more people work in browsers than desktops anyway (Firefox and Chromium derivations dominate browser space), and the vast majority of new computers are mobiles, where Android/Linux and iThing/BSD kicked Windows' arse. TV companies and MySpace will tell you incumbent advantage only gets you so far.
@alcinnz @xj9

Sign in to participate in the conversation
Mastodon - NZOSS

This Mastodon instance is provided gratis by the NZ Open Source Society for the benefit of everyone interested in their own freedom and sharing with others. Hosting is generously provided by Catalyst Cloud right here in Aotearoa New Zealand.