> but they fail to establish that text-only email solves this problem in any meaningful way
The quote from US-CERT isn't "meaningful"?
FWIW, I'm the first to bitch about security experts that sacrifice usability in the name of security any day, but for once I completely agree with them.
> Also, the reference to JavaScript in email leads me to question whether the authors have any idea what they're talking about. Mail clients don't execute JavaScript.
And that's only until someone finds a way to make them execute Javascript anyway. I don't think it ever actually happened, but not using an HTML engine drastically reduces the attack surface for sure.
> If this existed, would you — an open source software developer — sign up and use it?
To whomever does create such a thing, please make any JavaScript served to the user free software (it'd be a bonus if the server software were too, of course).[0] There are sites I'd use to make donations, but I can't because the code is non-free; I don't find this to be an unreasonable request for free software projects.
> we are comparing it to Gmail itself, one of the few Javascript apps actually created by people in possession of some engineering sensibility.
Are you kidding me? The JavaScript version of Gmail is awful. One of the slowest client-side apps I've had the displeasure to use. Full-fat Gmail used to be fast and pleasant to use (and at that point it was indeed faster than the plain HTML version), but they did a rewrite a few years back and completely borked it.
NB: I saw LibreJS in use months ago, in person at the FSF offices. I also got in an argument about it in which I brought up points that are echoed in comments on this page.
But, I was missing the point then. (Maybe I still am.)
I think the point of this thing is show web users a truth that they might not have thought about: that most javascript in the wild isn't licensed at all && they depend heavily on it.
To see this point clearly, try an experiment: install and activate the add-in. Now, try to do something on the web. Find a restaurant, buy airline tickets, comment on a post, author a post on your blog. Most likely, you can't do any of those things. That's the point. Even ardent free software supporters are depending on [large number] lines of non-free software every day.
> JavaScript is really what's to blame for all of this
Along with CSS, cookies, external images and fonts, redirect links, referrer headers, browser caches, and IP addresses that don't change over time and that can be linked to physical locations.
Javascript certainly doesn't have its hands clean, and there have been some frankly stupid decisions in how it was designed -- but stopping dedicated trackers is more complicated than you're making it seem. I don't need Javascript to put a tracking pixel in your email.
> why do you need to bash people enjoying themselves with a tool they're comfortable with to create things
Isn't that part of the theme of the post? Javascript doesn't care that it's being used for evil, but the things people create in Javascript often turn that way. They harvest personal data, drain battery life, and litter the internet with obtrusive advertisements. And that's when it doesn't just fail and break the website.
So go ahead. Create kind and beautiful things in Javascript. Just don't be surprised that people blame the language for the dreadful things it's brought us.
> Citation needed. Literally 100% of the JS code i've written over the past 24 years has been 100% free of "ads, trackers, and internal tools that somehow users have to contributor their data to."
It's a fair assumption that the majority of the code on the internet probably isn't written by you, so what you or any other individual writes isn't exactly a counter-argument.
I'd assume the poster you replied to was referring to the Javascript that gets delivered to their browser on a day to day basis by general purpose web sites, for which a significant percentage being ads and related unwanted content is entirely plausible.
If you were to capture all of the Javascript delivered to a randomly selected person's browser during a normal day I would easily believe somewhere between 50 and 80 percent of that Javascript was things that if the user was given a real choice they would not choose to load.
> I was once asked by a client if we could capture people's email addresses in a sign-up form even if they didn't hit submit, so we could email them later. I am still quite proud of my response, which was, "Yes, we absolutely can! No, we absolutely won't help you do that!"
1) letting Javascript initiate network connections without explicit user interaction with a narrow set of elements (say, a submit button) was a mistake.
2) not having a browser-provided summary of the data a form is about to submit before it's transmitted was a mistake.
Basically letting Javascript escape from a little box of tightly-scoped input validation handling and maybe defining sort functions for tables was a mistake.
>I don't fully understand why packages like this are so popular.
I consider 'iseven' and 'isodd' to be signs that Javascript is a hellaciously engineered piece of crap that should be avoided at all costs. They're popular because Javascript is garbage.
> Calling methods with the square bracket notation
> If it includes something like the above [...] and it doesn't have a free license statement, should people really complain about it?
Why on earth would this project concern itself with the coding styles of the JS that the author prefers? Even if the site and/or JS is free software, why do things things matter?
I mean, I get linting your own code, but linting the code of sites you visit just seems pointless.
This, banning AJAX requests and with the arduous process of getting into the 'libre' whitelist, makes this project a complete joke.
> Another is ensuring that all of the excessive and crappy Javascript that many sites run isn't used
While I wouldn't argue that there isn't a massive amount of god-awful javascript being written today, but why does a third party, private company get to determine what is or isn't "excessive and crappy" on someone's own website? This sounds like a slippery slope to me.
If that's not some pedantic RMS bullshit, I don't know what is.
At least it's easy enough for a spam filter to catch.
reply