Consumer Rights Wiki

JavaScript: Difference between revisions

← Older edit
VisualWikitext
Rudxain (talk | contribs)
confirmed, superconfirmed
889 edits
m move G and Moz links to new 1st occurrence; also because the 1st-ocur aren't in parentheses
Rudxain (talk | contribs)
confirmed, superconfirmed
889 edits
m CSS exfil mentioned in new article
 
Line 21: Line 21:
*'''Degraded compatibility''': While HTML and CSS degrade gracefully, meaning web browsers not supporting a certain feature will simply ignore it and load the rest of the page, JavaScript does not. If any JavaScript feature is not supported by a web browser and not caught using a <code>try</code>...<code>catch</code> block, the rest of the script is not executed, which usually breaks the entire site if it requires JavaScript for basic functions, as "web apps" usually do. This makes accessing a website impossible from legacy systems that do not support recent web browser versions or minimalist web browsers that challenge the [[Google]]-[[Mozilla]] duopoly, rather than being able to use some parts of a website.<ref>{{cite web |url=https://jakearchibald.com/2013/progressive-enhancement-still-important/ |title=Progressive enhancement is still important - JakeArchibald.com |date=2013-07-03 |access-date=2026-04-18 }}</ref><ref>{{cite web |url=https://digdeeper.club/articles/browsers.xhtml#minimal |title=How to choose a browser for everyday use? § Why "minimalist" browsers suck.  |author=Dig Deeper |access-date=2026-04-22 }}</ref>
*'''Degraded compatibility''': While HTML and CSS degrade gracefully, meaning web browsers not supporting a certain feature will simply ignore it and load the rest of the page, JavaScript does not. If any JavaScript feature is not supported by a web browser and not caught using a <code>try</code>...<code>catch</code> block, the rest of the script is not executed, which usually breaks the entire site if it requires JavaScript for basic functions, as "web apps" usually do. This makes accessing a website impossible from legacy systems that do not support recent web browser versions or minimalist web browsers that challenge the [[Google]]-[[Mozilla]] duopoly, rather than being able to use some parts of a website.<ref>{{cite web |url=https://jakearchibald.com/2013/progressive-enhancement-still-important/ |title=Progressive enhancement is still important - JakeArchibald.com |date=2013-07-03 |access-date=2026-04-18 }}</ref><ref>{{cite web |url=https://digdeeper.club/articles/browsers.xhtml#minimal |title=How to choose a browser for everyday use? § Why "minimalist" browsers suck.  |author=Dig Deeper |access-date=2026-04-22 }}</ref>
*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].<ref>{{Cite web |last=Gross |first=Carson |date=21 Sep 2023 |title=The #ViewSource Affordance |url=https://htmx.org/essays/right-click-view-source/ |url-status=live |archive-url=https://web.archive.org/web/20260228105626/https://htmx.org/essays/right-click-view-source/ |archive-date=28 Feb 2026 |access-date=24 Mar 2026 |website=</> htmx ~ Essays}}</ref>
*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].<ref>{{Cite web |last=Gross |first=Carson |date=21 Sep 2023 |title=The #ViewSource Affordance |url=https://htmx.org/essays/right-click-view-source/ |url-status=live |archive-url=https://web.archive.org/web/20260228105626/https://htmx.org/essays/right-click-view-source/ |archive-date=28 Feb 2026 |access-date=24 Mar 2026 |website=</> htmx ~ Essays}}</ref>
*'''Excessive tracking''': JS is much more capable than HTML and [[CSS]]<!-- See "CSS Exfil": https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense/ --> '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |url-status=live |access-date=19 Mar 2026 |website=Am I Unique ?}}</ref>
*'''Excessive tracking''': JS is much more capable than HTML and [[CSS]] '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |url-status=live |access-date=19 Mar 2026 |website=Am I Unique ?}}</ref>
*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref name=":0">{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=16 Mar 2026 |access-date=19 Mar 2026 |website=Kryogenix Consulting}}</ref><!-- We need another citation here. The current one is relevant, but doesn't cite anyone who assumes JS is portable. Ideally, it should cite an entity using that quote as an excuse to add JS everywhere -->
*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref name=":0">{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=16 Mar 2026 |access-date=19 Mar 2026 |website=Kryogenix Consulting}}</ref><!-- We need another citation here. The current one is relevant, but doesn't cite anyone who assumes JS is portable. Ideally, it should cite an entity using that quote as an excuse to add JS everywhere -->
*'''Security risks''': It is well-known that JS is poorly-designed,<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> even [[wikipedia:Ecma_International|tc39]] acknowledges that{{Citation needed}}<!-- They do improve (and complicate) it every year, but the fact that `eval` isn't deprecated implies they don't care that much about improving the language -->. This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that ES is [[wikipedia:Turing_completeness|Turing-complete]]<!-- Not typo. ECMAScript alone is TC. No need for extensions --> (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]), makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].
*'''Security risks''': It is well-known that JS is poorly-designed,<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> even [[wikipedia:Ecma_International|tc39]] acknowledges that{{Citation needed}}<!-- They do improve (and complicate) it every year, but the fact that `eval` isn't deprecated implies they don't care that much about improving the language -->. This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that ES is [[wikipedia:Turing_completeness|Turing-complete]]<!-- Not typo. ECMAScript alone is TC. No need for extensions --> (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]), makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].
Retrieved from "https://consumerrights.wiki/w/JavaScript"