> Random websites can't be entrusted to run javascript in a way that's not hostile to my interests.
I encourage you to consider that any website that runs arbitrary code on your computer _at all_ is hostile to your interests, by default. Websites today are becoming more programs than documents; rather than presenting you with a download dialog like you'd traditionally see with software, your browser is clicking "Download and Run" for you.
Cooper Quintin of the EFF had a Privacy Badger talk at LibrePlanet 2016 that emphasizes just how many third parties you are "trusting" when you visit a website.
> I sure hope no one on here would install software requested by unsolicited tech support!
All it takes is one browser 0-day that gets distributed on an ad network. A large segment of the HN crowd is still executing untrusted JS on their computers and opposed to blocking their source of income.
> It's interesting to see this touch a nerve so intensely, I think it's really exposing the lies people tell themselves to cope with a reality that isn't really internally consistent and that's why there's such a strong reaction.
I'm not telling my self any lies. I deeply believe that my computer is my private property and I get full control over what executes on it. If you think otherwise you're delusional.
I want to control what runs on my computer because by not doing so I run the risk of allowing something malicious to execute and thus I suffer long term, and perhaps others directly connected to me also suffer. I want to prevent that and I do so by stopping JavaScript from running automatically in my browser.
I use uBlock for the same reason: I want to block elements from running on a website that aren't directly associated with the content I asked for. If after visiting the website it comes to light that the webmasters are actually only showing genuinely good adverts that are ethically and morally rendered (i.e. they're not using abusive practices), then I can choose to either whitelist that website or stop accessing it.
> The Javascript issue never made sense to me. [...] Even releasing the spying software under GPL wouldn't stop it from spying on you.
Exactly.
The licence is not the only problem with javascript on the web because you can't use your freedoms in practice anyway since the code is automatically downloaded and executed when you load the page in a common web browser.
What we need is something that allows people to choose what code to run, similarly to how software traditionally is downloaded and executed in two separate steps.
We need to get away from the assumption that people will run all code you throw at them when they visit your site.
Then maybe licences on javascript can start to make more sense.
> Using the web today is a hostile experience, and the only safe haven from all this nonsense is using community-supported alternative browsers, that are really stripped down versions of mainstream ones, and relying heavily on ad, cookie, JavaScript and other blockers, which may stop working at any point.
I think the actual root of the problem is that the people and organizations developing and running the sites do want to force the ads, analytics and other things upon you and you as a user basically have to hack around that. If the users actually took a stance with something a bit like https://en.wikipedia.org/wiki/GNU_LibreJS then the sad reality would be that you just couldn't use most sites altogether.
Just because a user doesn't understand what Javascript is or how to diagnose why their computer is slow (is it an app, website, update, virus etc) does not imply consent.
Pretty sure that most people just want to be able to visit a website without it causing problems to their computer or to others.
Except on the long term that would have no effect in empowering users. We all know that when faced with a deluge of permission requests, or pressured by the fact that enough people have already accepted and it's the entry price to collaborate, people will just hit accept and be done with it.
They only need to get the foot in the door and then you'll find that plenty of stuff ends up conditioned on you giving them access. Every one of these APIs is a Trojan horse. Past experience just proves that they will be hijacked for purposes that don't do the user any favors.
Look no further than JS which is there to enrich the web to benefit users but 99% of it is garbage slid under the door to benefit site owners. That's because plenty of things that should work just fine without it are now tied into it, disable JS and the site experience breaks.
>> I have no obligation to make a business profitable.
Do we have an obligation to allow script in our browsers? >90% of my "news reading" on the internet is done with NoScript running; from my point of view it's all good, no ads, no GDPR pop-ups, pages load quickly, fewer worries about tracking.
> It's your responsibility to make sure you trust that entity, and do your due diligence.
> What does this entail?
My whole point is that that's up to you to decide. No one else can make that choice for you.
The VAST majority of people have decided that the risks they face today are worth it, and continue to use the web with js enabled.
If you're not one of them, I absolutely respect that decision, but it means you'll have to accept that companies are making financial and security based decisions based on the behaviors of normal people.
That means that when spotify (and lets be honest, every other streaming service) doesn't work without js, you go somewhere else, and use something different.
That's the whole point I'm making. You can make any decision you'd like with regards to your own security, you can make any decision you'd like with regards to the sites you visit. But that site is free to act in it's own interests, including adding features and services that target the majority of their uses.
> The web already has a user-facing permissions system; it wouldn't be hard to add many of these under that umbrella (USB, Bluetooth, and Sensors stand out as obvious candidates that should've been behind that barrier from the beginning)
Let’s add Javascript to that list too.
Not all sites need it, and given the abuse it’s responsible for, it shouldn’t be permitted unless a user opts in.
> But there is no guarantee that these mitigations will continue to work.
This is the biggest problem. It used to be that Firefox was on your side, but now it's turning into the we-know-better-than-our-users Chrome, where they don't even feel like guaranteeing that disabling this malicious and unwarranted service today will continue to leave it disabled tomorrow.
> Which is why the web has the most robust permissions system of any platform, period.
I fundamentally disagree with that. Yes it has a permissions system but is it really all that robust? Let alone the most robust of any platform? First off you're dependant on the browser implementing that correctly (that's not always the case) and often there are thousand different ways you can still do naughty things even if those permissions are implemented correctly. Then there are the thousands of vulnerabilities built into the very design of the web that developers (of both web and browsers) are constantly having to code around (XSS, et al). And that's without even addressing the current problems we have with data leakage and privacy concerns that we seemingly have little control over at all.
Compare that to networking where you have VLANs, subnets, firewalls and other network ACLs; or Linux servers where you have tools like SELinux. These tools might not be simple to use from the outset but their certainly a great deal more robust than any of the models the web has offered us thus far.
> Connecting to a web page should not be consent to allow the operators of that web page to make my computer/phone do whatever they want on the net.
But that is literally what web users want.
Everything you named is a fine opinion, but runs contrary to the wishes of the vast majority of millions and millions and millions and millions of web users.
EDIT: That said, browsers have features for users such as yourself to disable JavaScript, and there are third party extensions for finer-grained control. Again, adding these limitations is unpopular among web users.
> If non-intrusive browsers existed, which could run Javascript, is that considered acceptable to go to JS sites?
User agents need not be browsers. What if we had a scraper for every site? What if we had reverse engineered free software clients for every website's API endpoints? We'd be in full control.
People maintain humongous repositories of ad blocker filters and executable countermeasures against "clever" websites. Perhaps it would be feasible to maintain a collection of scrapers and custom clients too.
>Look at a site like YouTube today. All the tooling we've created and all the progress of the open web platform that has made that site happen is incredible.
Flash DRM replaced with another closed source DRM. No progress whatsoever. And now it has embedded in the browser itself, greatly increasing its vulnerability.
> I believe it is my right to adjust my browsing experience by affecting how websites are rendered in my browser to a degree I find reasonable, as well as from my side what data tracking I allow, which is already a huge compromise for me (I would rather not allow js by default in most websites).
Agree completely. I know people who are fine with watching ads to support the content creators and I agree. The creators should be compensated but Google are far too agressive with their ads.
Being able to manipulate my own machine and what I want to view is entirely up to me. This can't be infringed.
There is always the option today to block from the client side, but I can see this changing if there's enough money involved.
> The good thing of course is that it shows that they are afraid of such an extension.
Seriously. I'd figured they'd filter these "clicks" out easily server-side and didn't bother to install this thing, but this ban has hinted otherwise. I'll be installing it everywhere I can now.
> let’s do as follows: We implement code in our websites that checks whether the user agent implements this API. If the check passes, we tell the user that their browser is not welcome and why that is.
I am sympathetic, I agree let's all do that....
...I cannot imagine any of the money people I work with agreeing
They're denying access to no-JS users to many sites.
reply