JavaScript: Difference between revisions

(20 intermediate revisions by 5 users not shown)

Line 1:

{{ProductCargo

|Company=

Line 10:

|Logo=JavaScript-logo.png}}

'''{{Wplink|JavaScript}}''' (JS), not to be confused with {{Wplink|ECMAScript}} (ES), is a {{Wplink|programming language}} and core technology of {{Wplink|World_Wide_Web|the Web}}, alongside [[wikipedia:HTML|HTML]] and [[wikipedia:CSS|CSS]]. It was created by [[wikipedia:Brendan_Eich|Brendan Eich]] in 1995.<ref>https://exploringjs.com/es5/ch04.html</ref> As of 2025, the overwhelming majority of [[wikipedia:Website|websites]] (98.9%) uses JS for [[wikipedia:Client_(computing)|client]]-side [[wikipedia:Web_page|webpage]] behavior.<ref name="deployedstats">{{cite web |title=Usage Statistics of JavaScript as Client-side Programming Language on Websites |url=https://w3techs.com/technologies/details/cp-javascript |access-date=2024~~-02-27~~ |website=W3Techs }}</ref> It's even used on the [[wikipedia:Server_(computing)|server]]-side (see [[wikipedia:Node.js|Node.js]]). JS is also known to enhance the [[wikipedia:User_experience|user-experience]] (UX). The [[wikipedia:World_Wide_Web_Consortium|World Wide Web Consortium]] (W3C) provides comprehensive guidelines for such purposes.<ref>https://www.w3.org/wiki/The_principles_of_unobtrusive_JavaScript</ref>

'''{{Wplink|JavaScript}}''' (JS), not to be confused with {{Wplink|ECMAScript}} (ES), is a {{Wplink|programming language}} and core technology of {{Wplink|World_Wide_Web|the Web}}, alongside [[wikipedia:HTML|HTML]] and [[wikipedia:CSS|CSS]]. It was created by [[wikipedia:Brendan_Eich|Brendan Eich]] in 1995.<ref>https://exploringjs.com/es5/ch04.html</ref> As of 2025, the overwhelming majority of [[wikipedia:Website|websites]] (98.9%) uses JS for [[wikipedia:Client_(computing)|client]]-side [[wikipedia:Web_page|webpage]] behavior.<ref name="deployedstats">{{cite web |title=Usage Statistics of JavaScript as Client-side Programming Language on Websites |url=https://w3techs.com/technologies/details/cp-javascript |access-date=27 Feb 2024 |website=W3Techs}}</ref> It's even used on the [[wikipedia:Server_(computing)|server]]-side (see [[wikipedia:Node.js|Node.js]]).

JS is also known to enhance the [[wikipedia:User_experience|user-experience]] (UX). The [[wikipedia:World_Wide_Web_Consortium|World Wide Web Consortium]] (W3C) provides comprehensive guidelines for such purposes.<ref>https://www.w3.org/wiki/The_principles_of_unobtrusive_JavaScript</ref>

For the entirety of this article (unless stated otherwise) the terms "JavaScript" and "JS" will be defined as "ECMAScript with access to [https://developer.mozilla.org/en-US/docs/Web/API Web APIs]" or "ES+WebAPI" for short.

Line 17:

Line 19:

*'''Degraded accessibility''': Dynamic and/or active content is well-known to have poor accessibility for users with visual and/or cognitive impairments. While standards such as [[wikipedia:WAI-ARIA|WAI-ARIA]] were created to mitigate this, it's no silver bullet, especially when developers aren't aware of ARIA.

*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].<ref>{{Cite web |last=Gross |first=Carson |date=2023~~-09-21~~ |title=The #ViewSource Affordance |url=https://htmx.org/essays/right-click-view-source/ |url-status=live |archive-url=https://web.archive.org/web/20260228105626/https://htmx.org/essays/right-click-view-source/ |archive-date=2026~~-02-28~~ |access-date=2026~~-03-24~~ |website=</> htmx ~ Essays}}</ref>

*'''Degraded compatibility''': While HTML and CSS degrade gracefully, meaning web browsers not supporting a certain feature will simply ignore it and load the rest of the page, JavaScript does not. If any JavaScript feature is not supported by a web browser and not caught using a <code>try</code>...<code>catch</code> block, the rest of the script is not executed, which usually breaks the entire site if it requires JavaScript for basic functions, as "web apps" usually do. This makes accessing a website impossible from legacy systems that do not support recent web browser versions or minimalist web browsers that challenge the [[Google]]-[[Mozilla]] duopoly, rather than being able to use some parts of a website.<ref>{{cite web |url=https://jakearchibald.com/2013/progressive-enhancement-still-important/ |title=Progressive enhancement is still important - JakeArchibald.com |date=2013-07-03 |access-date=2026-04-18 }}</ref><ref>{{cite web |url=https://digdeeper.club/articles/browsers.xhtml#minimal |title=How to choose a browser for everyday use? § Why "minimalist" browsers suck. |author=Dig Deeper |access-date=2026-04-22 }}</ref>

*'''Excessive tracking''': JS is much more capable than HTML and [[CSS]]~~~~ '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |access-date=2026~~-03-19~~ |website=Am I Unique ?}}</ref>

*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].<ref>{{Cite web |last=Gross |first=Carson |date=21 Sep 2023 |title=The #ViewSource Affordance |url=https://htmx.org/essays/right-click-view-source/ |url-status=live |archive-url=https://web.archive.org/web/20260228105626/https://htmx.org/essays/right-click-view-source/ |archive-date=28 Feb 2026 |access-date=24 Mar 2026 |website=</> htmx ~ Essays}}</ref>

*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref>{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=2026~~-03-16~~ |access-date=2026~~-03-19~~ |website=Kryogenix Consulting}}</ref> John Gruber says that JS shouldn't be part of browsers;<ref>{{Cite web |last=Gruber |first=John |date=2017-06-22 |title=Gizmodo Investigation Exposes Websites Collecting Form Data Before You Hit 'Submit' |url=https://daringfireball.net/linked/2017/06/22/navistone-form-data |url-status=live |archive-url=https://web.archive.org/web/20260319180650/https://daringfireball.net/linked/2017/06/22/navistone-form-data |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref><ref>{{Cite web |last=Gruber |first=John |date=2017-06-27 |title=Using Today's Web Without JavaScript |url=https://daringfireball.net/linked/2017/06/27/web-without-javascript |url-status=live |archive-url=https://web.archive.org/web/20260319180612/https://daringfireball.net/linked/2017/06/27/web-without-javascript |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref> one way that would work is by turning JS into an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]] that the user willingly installs.

*'''Excessive tracking''': JS is much more capable than HTML and [[CSS]] '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |url-status=live |access-date=19 Mar 2026 |website=Am I Unique ?}}</ref>

*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref name=":0">{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=16 Mar 2026 |access-date=19 Mar 2026 |website=Kryogenix Consulting}}</ref>

*'''Security risks''': It is well-known that JS is poorly-designed,<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> even [[wikipedia:Ecma_International|tc39]] acknowledges that{{Citation needed}}. This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that ES is [[wikipedia:Turing_completeness|Turing-complete]] (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]), makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].

*'''Degraded performance (web apps)''': "Web apps" load slower than traditional web sites because lots of code has to be processed by the web browser before any content can appear on screen, putting the content at the end of the rendering path.<ref>{{cite web |title=Critical rendering path – Mozilla Developer Network |url=https://developer.mozilla.org/en-US/docs/Web/Performance/Guides/Critical_rendering_path |access-date=2026-04-18 }}</ref>

==How it works==

Line 32:

Line 36:

===Tracking===

Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. CSS stylesheets combined with HTMLshould be fine with most basic websites or webpages that do not need complex client side interaction.

Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. CSS stylesheets combined with HTML should be fine with most basic websites/webpages that do not need complex client-side interaction or low-latency server communication.

~~JS makes it harder for [[Ad block|ad-blockers]] to block ads, since it can be used to make overly-dynamic ads.~~ The data collected by malicious JS makes it trivial to serve [[personalized ads]], even across unrelated sites. Some sites collect so much data that they are indistinguishable from [[spyware]] (see also [[wikipedia:Keystroke_logging|key-logging]]).<ref>{{Cite web |last=Hill |first=Kashmir |date=2017~~-06-20~~ |title=Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data |url=https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081 |url-status=live |archive-url=https://web.archive.org/web/20260220091637/https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081 |archive-date=2026~~-02-20~~ |access-date=2026~~-03-19~~ |website=Gizmodo}}</ref>

The data collected by malicious JS makes it trivial to serve [[personalized ads]], even across unrelated sites. Some sites collect so much data that they are indistinguishable from [[spyware]] (see also [[wikipedia:Keystroke_logging|key-logging]]).<ref>{{Cite web |last=Hill |first=Kashmir |date=20 Jun 2017 |title=Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data |url=https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081 |url-status=live |archive-url=https://web.archive.org/web/20260220091637/https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081 |archive-date=20 Feb 2026 |access-date=19 Mar 2026 |website=Gizmodo}}</ref>

===Security===

Browser-engine developers (such as [[Google]] and [[Mozilla]]) not only feel compelled, but are financially incentivized to optimize JS to its limits. This leads to complex code-bases that are harder to verify for correctness. Browser vendors mitigate this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape.<ref>{{Cite web |last=Norman |first=Johnathan |date=2021~~-08-04~~ |title=Super Duper Secure Mode |url=https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ |url-status=live |archive-url=https://web.archive.org/web/20260218110912/https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode |archive-date=2026~~-02-18~~ |access-date=2026~~-03-19~~ |website=Microsoft Browser Vulnerability Research}}</ref> Some examples of this are as follows:

Browser-engine developers (such as Google and Mozilla) not only feel compelled, but are financially incentivized to optimize JS to its limits. This leads to complex code-bases that are harder to verify for correctness. Browser vendors mitigate this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape.<ref>{{Cite web |last=Norman |first=Johnathan |date=4 Aug 2021 |title=Super Duper Secure Mode |url=https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ |url-status=live |archive-url=https://web.archive.org/web/20260218110912/https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode |archive-date=18 Feb 2026 |access-date=19 Mar 2026 |website=Microsoft Browser Vulnerability Research}}</ref> Some examples of this are as follows:

*[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate

Line 45:

Line 49:

===Performance===

If a JS [[wikipedia:Web_framework|~~framework~~]] ~~is used to dynamically generate the DOM~~, the user must wait longer before the browser can display content. This is because HTML+CSS can be parsed and rendered incrementally (immediately as the bytes arrive to the client), while JS must (typically) be completely parsed and then executed.

If the DOM-tree is dynamically generated by JS (such as [[wikipedia:Web_framework|frameworks]]), the user must wait longer before the browser can display content. This is because HTML+CSS can be parsed and rendered incrementally (immediately as the bytes arrive to the client), while JS must (typically) be completely parsed and then executed.

If the JS fails to load for any reason, the user is left with no content.<ref name=":0" /><ref>{{Cite web |last=Luu |first=Dan |title=How web bloat impacts users with slow connections |url=https://danluu.com/web-bloat/ |access-date=13 Apr 2026}}</ref> If the page relies on JS to display content from the main document, the browser will waste bandwidth and time downloading data that won't be shown to the user; this is the case of sites with "splash screens" or "spinners" that use CSS to hide content until it's "ready to be seen" and then un-hidden by JS.<ref>https://github.com/Rudxain/uBO-rules/blob/b1086023e7db98dee55d425edc20722e641dd4b8/rx.abp#L71-L75</ref>

===Scraping===

Line 56:

Line 62:

===Google Search requires JS (2025)===

In January 2025, Google's web-search engine mandates that user-agents must have JS enabled. Google's justification was that it's a defense mechanism against abusive bots (see also [[Deceptive language frequently used against consumers]]).<ref>https://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/</ref><ref>https://daringfireball.net/linked/2025/01/18/google-search-javascript</ref><ref>https://serpapi.com/blog/google-now-requires-javascript/</ref> However, some people claim that it's an invalid justification.<ref>https://blog.jim-nielsen.com/2025/javascript-required/</ref>

==Proposals and alternatives==

*'''Extension''': turning JS into an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]], so that users can choose to install it, is a way to discourage abuse and incentivize static/passive pages. To do this, JS must be deprecated as a Web Standard, but not deprecated as language or API.

*'''Deprecation''': John Gruber says that JS should never have been added to browsers.<ref>{{Cite web |last=Gruber |first=John |date=22 Jun 2017 |title=Gizmodo Investigation Exposes Websites Collecting Form Data Before You Hit 'Submit' |url=https://daringfireball.net/linked/2017/06/22/navistone-form-data |url-status=live |archive-url=https://web.archive.org/web/20260319180650/https://daringfireball.net/linked/2017/06/22/navistone-form-data |archive-date=19 Mar 2026 |access-date=20 Mar 2026 |website=Daring Fireball}}</ref><ref>{{Cite web |last=Gruber |first=John |date=27 Jun 2017 |title=Using Today's Web Without JavaScript |url=https://daringfireball.net/linked/2017/06/27/web-without-javascript |url-status=live |archive-url=https://web.archive.org/web/20260319180612/https://daringfireball.net/linked/2017/06/27/web-without-javascript |archive-date=19 Mar 2026 |access-date=20 Mar 2026 |website=Daring Fireball}}</ref> The [[wikipedia:Gopher_(protocol)|Gopher]] and [[wikipedia:Gemini_(protocol)|Gemini]] projects advocate for a simpler web.<ref>{{Cite web |title=Project Gemini |url=https://geminiprotocol.net/ |access-date=13 Apr 2026}}</ref> If JS were to be completely removed from the web, this would allow users to navigate without worrying about invisible tracking.<ref>{{Cite web |date=2 Sep 2023 |title=Project Gemini FAQ § Why not just use a subset of HTTP and HTML? |url=https://geminiprotocol.net/docs/faq-section-7.gmi#79-why-not-just-use-a-subset-of-http-and-html |access-date=13 Apr 2026}}</ref> Even if not all JS was removed, this would allow tools like [[wikipedia:UBlock_Origin|uBO]] to adapt their filters for non-JS users.<ref>https://github.com/Rudxain/blog/blob/a326c9db28c9f7eb6e30e6a737ca4aeae0d2ee39/post/js-abuse.md#to-do</ref>

*'''Feature-freeze''': There has been discussion about feature-freezing JS so that it becomes "JS0" (for lack of better name).<ref>https://docs.google.com/presentation/d/1ylROTu3N6MyHzNzWJXQAc7Bo1O0FHO3lNKfQMfPOA4o/</ref> The main purpose is to make it easier for browser implementers to keep browsers secure and stable.

==External links==

Line 66:

Line 78:

*[https://eev.ee/blog/2016/03/06/maybe-we-could-tone-down-the-javascript "Maybe we could tone down the JavaScript"]

*[https://www.kryogenix.org/code/dont-need-that-js "You really don't need all that JavaScript, I promise"]

*[https://jakearchibald.com/2013/progressive-enhancement-still-important "Progressive Enhancement Still Important"]

*https://gomakethings.com/why-progressive-enhancement-still-matters/

*https://www.viget.com/articles/the-case-against-progressive-enhancements-flimsy-moral-foundation

*[https://youtu.be/xE9W9Ghe4Jk "Shipping a button in 2026…"], by Kai Lentit. This illustrates the burnout and fatigue software developers can experience on a daily basis

*[https://grugbrain.dev/ HTMX developer advocating for less JS]

*[https://grugbrain.dev/#grug-on-front-end-development HTMX developer advocating for less JS]

*[https://idlewords.com/talks/website_obesity.htm "Web Obesity Crisis"]

*[https://danluu.com/web-bloat/ "How web bloat impacts users with slow connections"]

*[https://tonsky.me/blog/js-bloat JS bloat (2024)]

*[https://tonsky.me/blog/disenchantment How JS makes web apps more unstable]

Line 79:

Line 89:

*[https://www.smashingmagazine.com/2018/05/using-the-web-with-javascript-turned-off/ "I Used The Web For A Day With JavaScript Turned Off"]

*[https://tobyho.com/2010/03/11/how-much-of-the-web-actually/ "How Much of the Web Actually Work Without Javascript"]

*[https://github.com/Rudxain/blog/blob/main/post/js-abuse.md ~~More~~ sources] ~~(''~~TO-DO~~'')~~

*[https://github.com/Rudxain/blog/blob/main/post/js-abuse.md Blog-post with more sources]

~~==See also==~~

*[[Electron]]

==References==

@@ Line 1: / Line 1: @@
 {{Cleanup}}
-{{ToneWarning}}
+{{Irrelevant}}
 {{ProductCargo
 |Company=
@@ Line 10: / Line 10: @@
 |Logo=JavaScript-logo.png}}
-'''{{Wplink|JavaScript}}''' (JS), not to be confused with {{Wplink|ECMAScript}} (ES), is a {{Wplink|programming language}} and core technology of {{Wplink|World_Wide_Web|the Web}}, alongside [[wikipedia:HTML|HTML]] and [[wikipedia:CSS|CSS]]. It was created by [[wikipedia:Brendan_Eich|Brendan Eich]] in 1995.<ref>https://exploringjs.com/es5/ch04.html</ref> As of 2025, the overwhelming majority of [[wikipedia:Website|websites]] (98.9%) uses JS for [[wikipedia:Client_(computing)|client]]-side [[wikipedia:Web_page|webpage]] behavior.<ref name="deployedstats">{{cite web |title=Usage Statistics of JavaScript as Client-side Programming Language on Websites |url=https://w3techs.com/technologies/details/cp-javascript |access-date=2024-02-27 |website=W3Techs }}</ref> It's even used on the [[wikipedia:Server_(computing)|server]]-side (see [[wikipedia:Node.js|Node.js]]). JS is also known to enhance the [[wikipedia:User_experience|user-experience]] (UX). The [[wikipedia:World_Wide_Web_Consortium|World Wide Web Consortium]] (W3C) provides comprehensive guidelines for such purposes.<ref>https://www.w3.org/wiki/The_principles_of_unobtrusive_JavaScript</ref>
+'''{{Wplink|JavaScript}}''' (JS), not to be confused with {{Wplink|ECMAScript}} (ES), is a {{Wplink|programming language}} and core technology of {{Wplink|World_Wide_Web|the Web}}, alongside [[wikipedia:HTML|HTML]] and [[wikipedia:CSS|CSS]]. It was created by [[wikipedia:Brendan_Eich|Brendan Eich]] in 1995.<ref>https://exploringjs.com/es5/ch04.html</ref> As of 2025, the overwhelming majority of [[wikipedia:Website|websites]] (98.9%) uses JS for [[wikipedia:Client_(computing)|client]]-side [[wikipedia:Web_page|webpage]] behavior.<ref name="deployedstats">{{cite web |title=Usage Statistics of JavaScript as Client-side Programming Language on Websites |url=https://w3techs.com/technologies/details/cp-javascript |access-date=27 Feb 2024 |website=W3Techs}}</ref> It's even used on the [[wikipedia:Server_(computing)|server]]-side (see [[wikipedia:Node.js|Node.js]]).
+JS is also known to enhance the [[wikipedia:User_experience|user-experience]] (UX). The [[wikipedia:World_Wide_Web_Consortium|World Wide Web Consortium]] (W3C) provides comprehensive guidelines for such purposes.<ref>https://www.w3.org/wiki/The_principles_of_unobtrusive_JavaScript</ref>
 For the entirety of this article (unless stated otherwise) the terms "JavaScript" and "JS" will be defined as "ECMAScript with access to [https://developer.mozilla.org/en-US/docs/Web/API Web APIs]" or "ES+WebAPI" for short.
@@ Line 17: / Line 19: @@
 *'''Degraded accessibility''': Dynamic and/or active content is well-known to have poor accessibility for users with visual and/or cognitive impairments. While standards such as [[wikipedia:WAI-ARIA|WAI-ARIA]] were created to mitigate this, it's no silver bullet, especially when developers aren't aware of ARIA.
-*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].<ref>{{Cite web |last=Gross |first=Carson |date=2023-09-21 |title=The #ViewSource Affordance |url=https://htmx.org/essays/right-click-view-source/ |url-status=live |archive-url=https://web.archive.org/web/20260228105626/https://htmx.org/essays/right-click-view-source/ |archive-date=2026-02-28 |access-date=2026-03-24 |website=</> htmx ~ Essays}}</ref>
+*'''Degraded compatibility''': While HTML and CSS degrade gracefully, meaning web browsers not supporting a certain feature will simply ignore it and load the rest of the page, JavaScript does not. If any JavaScript feature is not supported by a web browser and not caught using a <code>try</code>...<code>catch</code> block, the rest of the script is not executed, which usually breaks the entire site if it requires JavaScript for basic functions, as "web apps" usually do. This makes accessing a website impossible from legacy systems that do not support recent web browser versions or minimalist web browsers that challenge the [[Google]]-[[Mozilla]] duopoly, rather than being able to use some parts of a website.<ref>{{cite web |url=https://jakearchibald.com/2013/progressive-enhancement-still-important/ |title=Progressive enhancement is still important - JakeArchibald.com |date=2013-07-03 |access-date=2026-04-18 }}</ref><ref>{{cite web |url=https://digdeeper.club/articles/browsers.xhtml#minimal |title=How to choose a browser for everyday use? § Why "minimalist" browsers suck.  |author=Dig Deeper |access-date=2026-04-22 }}</ref>
-*'''Excessive tracking''': JS is much more capable than HTML and [[CSS]]<!-- See "CSS Exfil": https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense/ --> '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |access-date=2026-03-19 |website=Am I Unique ?}}</ref>
+*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].<ref>{{Cite web |last=Gross |first=Carson |date=21 Sep 2023 |title=The #ViewSource Affordance |url=https://htmx.org/essays/right-click-view-source/ |url-status=live |archive-url=https://web.archive.org/web/20260228105626/https://htmx.org/essays/right-click-view-source/ |archive-date=28 Feb 2026 |access-date=24 Mar 2026 |website=</> htmx ~ Essays}}</ref>
-*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref>{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=2026-03-16 |access-date=2026-03-19 |website=Kryogenix Consulting}}</ref><!-- We need another citation here. The current one is relevant, but doesn't cite anyone who assumes JS is portable. Ideally, it should cite an entity using that quote as an excuse to add JS everywhere --> John Gruber says that JS shouldn't be part of browsers;<ref>{{Cite web |last=Gruber |first=John |date=2017-06-22 |title=Gizmodo Investigation Exposes Websites Collecting Form Data Before You Hit 'Submit' |url=https://daringfireball.net/linked/2017/06/22/navistone-form-data |url-status=live |archive-url=https://web.archive.org/web/20260319180650/https://daringfireball.net/linked/2017/06/22/navistone-form-data |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref><ref>{{Cite web |last=Gruber |first=John |date=2017-06-27 |title=Using Today's Web Without JavaScript |url=https://daringfireball.net/linked/2017/06/27/web-without-javascript |url-status=live |archive-url=https://web.archive.org/web/20260319180612/https://daringfireball.net/linked/2017/06/27/web-without-javascript |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref> one way that would work is by turning JS into an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]] that the user willingly installs.<!-- This proposal is just to sugarcoat John's bold/"based" opinion, without putting words in his mouth. I'm not sure how else to reword this -->
+*'''Excessive tracking''': JS is much more capable than HTML and [[CSS]] '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |url-status=live |access-date=19 Mar 2026 |website=Am I Unique ?}}</ref>
+*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref name=":0">{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=16 Mar 2026 |access-date=19 Mar 2026 |website=Kryogenix Consulting}}</ref><!-- We need another citation here. The current one is relevant, but doesn't cite anyone who assumes JS is portable. Ideally, it should cite an entity using that quote as an excuse to add JS everywhere -->
 *'''Security risks''': It is well-known that JS is poorly-designed,<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> even [[wikipedia:Ecma_International|tc39]] acknowledges that{{Citation needed}}<!-- They do improve (and complicate) it every year, but the fact that `eval` isn't deprecated implies they don't care that much about improving the language -->. This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that ES is [[wikipedia:Turing_completeness|Turing-complete]]<!-- Not typo. ECMAScript alone is TC. No need for extensions --> (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]), makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].
+*'''Degraded performance (web apps)''': "Web apps" load slower than traditional web sites because lots of code has to be processed by the web browser before any content can appear on screen, putting the content at the end of the rendering path.<ref>{{cite web |title=Critical rendering path – Mozilla Developer Network |url=https://developer.mozilla.org/en-US/docs/Web/Performance/Guides/Critical_rendering_path |access-date=2026-04-18 }}</ref>
 ==How it works==
@@ Line 32: / Line 36: @@
 ===Tracking===
-Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. CSS stylesheets combined with HTML<!-- TO-DO: cite `<portal>`. I remember an entire website that demos/showcases the Portal API, but can't find it. `<portal>` fixed the fundamental problem that SPAs try to solve, with minimal (or zero!) JS -->should be fine with most basic websites or webpages that do not need complex client side interaction.
+Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. CSS stylesheets combined with HTML<!-- TO-DO: cite `<portal>`. I remember an entire website that demos/showcases the Portal API, but can't find it. `<portal>` fixed the fundamental problem that SPAs try to solve, with minimal (or zero!) JS --> should be fine with most basic websites/webpages that do not need complex client-side interaction or low-latency server communication.<!-- see Web-Sockets -->
-JS makes it harder for [[Ad block|ad-blockers]] to block ads, since it can be used to make overly-dynamic ads. The data collected by malicious JS makes it trivial to serve [[personalized ads]], even across unrelated sites. Some sites collect so much data that they are indistinguishable from [[spyware]] (see also [[wikipedia:Keystroke_logging|key-logging]]).<ref>{{Cite web |last=Hill |first=Kashmir |date=2017-06-20 |title=Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data |url=https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081 |url-status=live |archive-url=https://web.archive.org/web/20260220091637/https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081 |archive-date=2026-02-20 |access-date=2026-03-19 |website=Gizmodo}}</ref>
+The data collected by malicious JS makes it trivial to serve [[personalized ads]], even across unrelated sites. Some sites collect so much data that they are indistinguishable from [[spyware]] (see also [[wikipedia:Keystroke_logging|key-logging]]).<ref>{{Cite web |last=Hill |first=Kashmir |date=20 Jun 2017 |title=Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data |url=https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081 |url-status=live |archive-url=https://web.archive.org/web/20260220091637/https://gizmodo.com/before-you-hit-submit-this-company-has-already-logge-1795906081 |archive-date=20 Feb 2026 |access-date=19 Mar 2026 |website=Gizmodo}}</ref>
 ===Security===
-Browser-engine developers (such as [[Google]] and [[Mozilla]]) not only feel compelled, but are financially incentivized to optimize JS to its limits. This leads to complex code-bases that are harder to verify for correctness. Browser vendors mitigate this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape.<ref>{{Cite web |last=Norman |first=Johnathan |date=2021-08-04 |title=Super Duper Secure Mode |url=https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ |url-status=live |archive-url=https://web.archive.org/web/20260218110912/https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode |archive-date=2026-02-18 |access-date=2026-03-19 |website=Microsoft Browser Vulnerability Research}}</ref> Some examples of this are as follows:
+Browser-engine developers (such as Google and Mozilla) not only feel compelled, but are financially incentivized to optimize JS to its limits. This leads to complex code-bases that are harder to verify for correctness. Browser vendors mitigate this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape.<ref>{{Cite web |last=Norman |first=Johnathan |date=4 Aug 2021 |title=Super Duper Secure Mode |url=https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ |url-status=live |archive-url=https://web.archive.org/web/20260218110912/https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode |archive-date=18 Feb 2026 |access-date=19 Mar 2026 |website=Microsoft Browser Vulnerability Research}}</ref> Some examples of this are as follows:
 *[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate
@@ Line 45: / Line 49: @@
 ===Performance===
 {{See also|Bloatware}}
-If a JS [[wikipedia:Web_framework|framework]] is used to dynamically generate the DOM, the user must wait longer before the browser can display content. This is because HTML+CSS can be parsed and rendered incrementally (immediately as the bytes arrive to the client), while JS must (typically) be completely parsed and then executed.
+If the DOM-tree is dynamically generated by JS (such as [[wikipedia:Web_framework|frameworks]]), the user must wait longer before the browser can display content. This is because HTML+CSS can be parsed and rendered incrementally (immediately as the bytes arrive to the client), while JS must (typically) be completely parsed and then executed.
+If the JS fails to load for any reason, the user is left with no content.<ref name=":0" /><ref>{{Cite web |last=Luu |first=Dan |title=How web bloat impacts users with slow connections |url=https://danluu.com/web-bloat/ |access-date=13 Apr 2026}}</ref> If the page relies on JS to display content from the main document, the browser will waste bandwidth and time downloading data that won't be shown to the user; this is the case of sites with "splash screens" or "spinners" that use CSS to hide content until it's "ready to be seen" and then un-hidden by JS.<ref>https://github.com/Rudxain/uBO-rules/blob/b1086023e7db98dee55d425edc20722e641dd4b8/rx.abp#L71-L75</ref>
 ===Scraping===
@@ Line 56: / Line 62: @@
 ===Google Search requires JS (2025)===
 In January 2025, Google's web-search engine mandates that user-agents must have JS enabled. Google's justification was that it's a defense mechanism against abusive bots (see also [[Deceptive language frequently used against consumers]]).<ref>https://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/</ref><ref>https://daringfireball.net/linked/2025/01/18/google-search-javascript</ref><ref>https://serpapi.com/blog/google-now-requires-javascript/</ref> However, some people claim that it's an invalid justification.<ref>https://blog.jim-nielsen.com/2025/javascript-required/</ref>
+==Proposals and alternatives==<!-- IDK if name is good. Please rename this section if not -->
+*'''Extension''': turning JS into an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]], so that users can choose to install it, is a way to discourage abuse and incentivize static/passive pages. To do this, JS must be deprecated as a Web Standard, but not deprecated as language or API.
+*'''Deprecation''': John Gruber says that JS should never have been added to browsers.<ref>{{Cite web |last=Gruber |first=John |date=22 Jun 2017 |title=Gizmodo Investigation Exposes Websites Collecting Form Data Before You Hit 'Submit' |url=https://daringfireball.net/linked/2017/06/22/navistone-form-data |url-status=live |archive-url=https://web.archive.org/web/20260319180650/https://daringfireball.net/linked/2017/06/22/navistone-form-data |archive-date=19 Mar 2026 |access-date=20 Mar 2026 |website=Daring Fireball}}</ref><ref>{{Cite web |last=Gruber |first=John |date=27 Jun 2017 |title=Using Today's Web Without JavaScript |url=https://daringfireball.net/linked/2017/06/27/web-without-javascript |url-status=live |archive-url=https://web.archive.org/web/20260319180612/https://daringfireball.net/linked/2017/06/27/web-without-javascript |archive-date=19 Mar 2026 |access-date=20 Mar 2026 |website=Daring Fireball}}</ref> The [[wikipedia:Gopher_(protocol)|Gopher]] and [[wikipedia:Gemini_(protocol)|Gemini]] projects advocate for a simpler web.<ref>{{Cite web |title=Project Gemini |url=https://geminiprotocol.net/ |access-date=13 Apr 2026}}</ref> If JS were to be completely removed from the web, this would allow users to navigate without worrying about invisible tracking.<ref>{{Cite web |date=2 Sep 2023 |title=Project Gemini FAQ § Why not just use a subset of HTTP and HTML? |url=https://geminiprotocol.net/docs/faq-section-7.gmi#79-why-not-just-use-a-subset-of-http-and-html |access-date=13 Apr 2026}}</ref> Even if not all JS was removed, this would allow tools like [[wikipedia:UBlock_Origin|uBO]] to adapt their filters for non-JS users.<ref>https://github.com/Rudxain/blog/blob/a326c9db28c9f7eb6e30e6a737ca4aeae0d2ee39/post/js-abuse.md#to-do</ref>
+*'''Feature-freeze''': There has been discussion about feature-freezing JS so that it becomes "JS0" (for lack of better name).<ref>https://docs.google.com/presentation/d/1ylROTu3N6MyHzNzWJXQAc7Bo1O0FHO3lNKfQMfPOA4o/</ref> The main purpose is to make it easier for browser implementers to keep browsers secure and stable.
 ==External links==
@@ Line 66: / Line 78: @@
 *[https://eev.ee/blog/2016/03/06/maybe-we-could-tone-down-the-javascript "Maybe we could tone down the JavaScript"]
 *[https://www.kryogenix.org/code/dont-need-that-js "You really don't need all that JavaScript, I promise"]
-*[https://jakearchibald.com/2013/progressive-enhancement-still-important "Progressive Enhancement Still Important"]
 *https://gomakethings.com/why-progressive-enhancement-still-matters/
 *https://www.viget.com/articles/the-case-against-progressive-enhancements-flimsy-moral-foundation
 *[https://youtu.be/xE9W9Ghe4Jk "Shipping a button in 2026…"], by Kai Lentit. This illustrates the burnout and fatigue software developers can experience on a daily basis
-*[https://grugbrain.dev/ HTMX developer advocating for less JS]
+*[https://grugbrain.dev/#grug-on-front-end-development HTMX developer advocating for less JS]
 *[https://idlewords.com/talks/website_obesity.htm "Web Obesity Crisis"]
-*[https://danluu.com/web-bloat/ "How web bloat impacts users with slow connections"]
 *[https://tonsky.me/blog/js-bloat JS bloat (2024)]
 *[https://tonsky.me/blog/disenchantment How JS makes web apps more unstable]
@@ Line 79: / Line 89: @@
 *[https://www.smashingmagazine.com/2018/05/using-the-web-with-javascript-turned-off/ "I Used The Web For A Day With JavaScript Turned Off"]
 *[https://tobyho.com/2010/03/11/how-much-of-the-web-actually/ "How Much of the Web Actually Work Without Javascript"]
-*[https://github.com/Rudxain/blog/blob/main/post/js-abuse.md More sources] (''TO-DO'')
+*[https://github.com/Rudxain/blog/blob/main/post/js-abuse.md Blog-post with more sources]<!-- TO-DO -->
-==See also==
-*[[Electron]]
 ==References==