JavaScript: Difference between revisions
m link Bloatware (again, because a previous edit deleted it) |
add "Proposals and alternatives" section; convert "TO-DO" to comment |
||
| Line 19: | Line 19: | ||
*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].<ref>{{Cite web |last=Gross |first=Carson |date=2023-09-21 |title=The #ViewSource Affordance |url=https://htmx.org/essays/right-click-view-source/ |url-status=live |archive-url=https://web.archive.org/web/20260228105626/https://htmx.org/essays/right-click-view-source/ |archive-date=2026-02-28 |access-date=2026-03-24 |website=</> htmx ~ Essays}}</ref> | *'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].<ref>{{Cite web |last=Gross |first=Carson |date=2023-09-21 |title=The #ViewSource Affordance |url=https://htmx.org/essays/right-click-view-source/ |url-status=live |archive-url=https://web.archive.org/web/20260228105626/https://htmx.org/essays/right-click-view-source/ |archive-date=2026-02-28 |access-date=2026-03-24 |website=</> htmx ~ Essays}}</ref> | ||
*'''Excessive tracking''': JS is much more capable than HTML and [[CSS]]<!-- See "CSS Exfil": https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense/ --> '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |access-date=2026-03-19 |website=Am I Unique ?}}</ref> | *'''Excessive tracking''': JS is much more capable than HTML and [[CSS]]<!-- See "CSS Exfil": https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense/ --> '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |access-date=2026-03-19 |website=Am I Unique ?}}</ref> | ||
*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref>{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=2026-03-16 |access-date=2026-03-19 |website=Kryogenix Consulting}}</ref><!-- We need another citation here. The current one is relevant, but doesn't cite anyone who assumes JS is portable. Ideally, it should cite an entity using that quote as an excuse to add JS everywhere | *'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref>{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=2026-03-16 |access-date=2026-03-19 |website=Kryogenix Consulting}}</ref><!-- We need another citation here. The current one is relevant, but doesn't cite anyone who assumes JS is portable. Ideally, it should cite an entity using that quote as an excuse to add JS everywhere --> | ||
*'''Security risks''': It is well-known that JS is poorly-designed,<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> even [[wikipedia:Ecma_International|tc39]] acknowledges that{{Citation needed}}<!-- They do improve (and complicate) it every year, but the fact that `eval` isn't deprecated implies they don't care that much about improving the language -->. This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that ES is [[wikipedia:Turing_completeness|Turing-complete]]<!-- Not typo. ECMAScript alone is TC. No need for extensions --> (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]), makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]]. | *'''Security risks''': It is well-known that JS is poorly-designed,<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> even [[wikipedia:Ecma_International|tc39]] acknowledges that{{Citation needed}}<!-- They do improve (and complicate) it every year, but the fact that `eval` isn't deprecated implies they don't care that much about improving the language -->. This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that ES is [[wikipedia:Turing_completeness|Turing-complete]]<!-- Not typo. ECMAScript alone is TC. No need for extensions --> (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]), makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]]. | ||
| Line 56: | Line 56: | ||
===Google Search requires JS (2025)=== | ===Google Search requires JS (2025)=== | ||
In January 2025, Google's web-search engine mandates that user-agents must have JS enabled. Google's justification was that it's a defense mechanism against abusive bots (see also [[Deceptive language frequently used against consumers]]).<ref>https://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/</ref><ref>https://daringfireball.net/linked/2025/01/18/google-search-javascript</ref><ref>https://serpapi.com/blog/google-now-requires-javascript/</ref> However, some people claim that it's an invalid justification.<ref>https://blog.jim-nielsen.com/2025/javascript-required/</ref> | In January 2025, Google's web-search engine mandates that user-agents must have JS enabled. Google's justification was that it's a defense mechanism against abusive bots (see also [[Deceptive language frequently used against consumers]]).<ref>https://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/</ref><ref>https://daringfireball.net/linked/2025/01/18/google-search-javascript</ref><ref>https://serpapi.com/blog/google-now-requires-javascript/</ref> However, some people claim that it's an invalid justification.<ref>https://blog.jim-nielsen.com/2025/javascript-required/</ref> | ||
== Proposals and alternatives ==<!-- IDK if name is good. Please rename this section if not --> | |||
* Extension: turning JS into an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]], so that users can choose to install it, is a way to discourage abuse and incentivize static/passive pages. To do this, JS must be deprecated as a Web Standard, but not deprecated as language or API. | |||
* Deprecation: John Gruber says that JS should never have been added to browsers.<ref>{{Cite web |last=Gruber |first=John |date=2017-06-22 |title=Gizmodo Investigation Exposes Websites Collecting Form Data Before You Hit 'Submit' |url=https://daringfireball.net/linked/2017/06/22/navistone-form-data |url-status=live |archive-url=https://web.archive.org/web/20260319180650/https://daringfireball.net/linked/2017/06/22/navistone-form-data |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref><ref>{{Cite web |last=Gruber |first=John |date=2017-06-27 |title=Using Today's Web Without JavaScript |url=https://daringfireball.net/linked/2017/06/27/web-without-javascript |url-status=live |archive-url=https://web.archive.org/web/20260319180612/https://daringfireball.net/linked/2017/06/27/web-without-javascript |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref> The [[wikipedia:Gopher_(protocol)|Gopher]] and [[wikipedia:Gemini_(protocol)|Gemini]] projects advocate for a simpler web.<ref>{{Cite web |title=Project Gemini |url=https://geminiprotocol.net/ |access-date=2026-04-13}}</ref> If JS were to be completely removed from the web, this would allow users to navigate without worrying about invisible tracking.<ref>{{Cite web |date=2023-09-02 |title=Project Gemini FAQ § Why not just use a subset of HTTP and HTML? |url=https://geminiprotocol.net/docs/faq.gmi#79-why-not-just-use-a-subset-of-http-and-html |access-date=2026-04-13}}</ref> Even if not all JS was removed, this would allow tools like [[wikipedia:UBlock_Origin|uBO]] to adapt their filters for non-JS users.<ref>https://github.com/Rudxain/blog/blob/a326c9db28c9f7eb6e30e6a737ca4aeae0d2ee39/post/js-abuse.md#to-do</ref> | |||
* Feature-freeze: There has been discussion about feature-freezing JS so that it becomes "JS0" (for lack of better name).<ref>https://docs.google.com/presentation/d/1ylROTu3N6MyHzNzWJXQAc7Bo1O0FHO3lNKfQMfPOA4o/</ref> The main purpose is to make it easier for browser implementers to keep browsers secure and stable. | |||
==External links== | ==External links== | ||
| Line 79: | Line 85: | ||
*[https://www.smashingmagazine.com/2018/05/using-the-web-with-javascript-turned-off/ "I Used The Web For A Day With JavaScript Turned Off"] | *[https://www.smashingmagazine.com/2018/05/using-the-web-with-javascript-turned-off/ "I Used The Web For A Day With JavaScript Turned Off"] | ||
*[https://tobyho.com/2010/03/11/how-much-of-the-web-actually/ "How Much of the Web Actually Work Without Javascript"] | *[https://tobyho.com/2010/03/11/how-much-of-the-web-actually/ "How Much of the Web Actually Work Without Javascript"] | ||
*[https://github.com/Rudxain/blog/blob/main/post/js-abuse.md | *[https://github.com/Rudxain/blog/blob/main/post/js-abuse.md Blog-post with more sources]<!-- TO-DO --> | ||
==See also== | ==See also== | ||