So you can tell us: what happens if you have Javascript turned off?
I have sympathy for the "what happens if I'm using a screen reader or other accessibility device" question, not excluding those who need to use assertive technologies where possible is important. geocar's post below suggests what might be a better implementation in that regard, which will support your use case too, but some advanced screen readers might try run the script (to access generated content like Google does for indexing) and then not read the text because said code has hidden it via DOM manipulation, meaning the technique might not work in all cases.
But disabling all javascript and expecting the world to support your preference in everything we produce (you can at least read be core content in this case) feels a bit entitled IMO, along the lines of people/companies (who I deal with in my day job) who use legacy browsers and are upset when that means they can't have shiny new features in the browser based applications that they use (or want to use).
I understand the desire to block all the iffy JS (adverts, particularly adverts that eat CPU cycles and therefore my battery when mobile, tracking, and so on) and I understand that running noscript or similar plugins is too cumbersome in many opinions, but unless you are paying for the content in some way you can't really expect to demand to control how it is delivered to you.
A thought for reducing tracking and such without blocking code used for page functionality: I'd like to see browsers block 3rd party code as an option (as some do for 3rd party cookies), with a whitelist to enable CDNs (possibly with the major CDNs on the whitelist by default). That would still allow iffy code if it is served from the same site (by design or because it has been hacked) so isn't perfect, but it might be a good compromise.
I disable javascript for two reasons: I do not want to download megabytes of useless scripts everyday dozens of times, and I do not want to allow strangers run arbitrary Turing-complete code on my computer, even on a restricted platform like the browser. Thus, I use xombrero + very strict whitelisting. I do not want the world to conform to me, I just conform selectively. I know the consequences of being a NoJS surfer, I just live with it, and don't complain. I even have chromium installed for edge cases.
And here I try to make some criticism of the posted work, and constructively. I think coding defensively for the noscript case is a good, important practise, even if the chosen remedy is to show up a "please enable JS" message. And then there's the case of printing the page, the read-it-later things, archival, etc... I can't run JS on paper, or on PDFs, right? But the WWW is ephemeral, and if something is important, I have to archive. And people have disablities, how would margin notes be readable with say 5x zoom? How will a disabled person get to read the popup margin note if he can't even move the mouse to hover the anchor tag? One may well say that disabled people are not worthy of seeing their content, and however disgusting may it sound they've the right to say so, but the OP may be open to such suggestions for inclusivity and improvement, and I suggest.
I think the JS CDNs are the most stupid things on the world. It is a virus vector. Hack one CDN, and you'll get to run your code on maybe millions of websites. And who decides which CDNs are major, and/or better or more secure?
> I do not want the world to conform to me, I just conform selectively.
A healthy attitude.
> I know the consequences of being a NoJS surfer, I just live with it, and don't complain.
I'm a bit more open with JS, though I've completely blocked flash for years. Any site that doesn't work just, well, doesn't work - I can always try others.
> And here I try to make some criticism of the posted work, and constructively.
I may have misread your short message as being much more "snarky" than you intended, in which case I apologise for my knee jerking in reaction.
> I think the JS CDNs are the most stupid things on the world. Hack one CDN, and you'll get to run your code on maybe millions of websites
Good point, and why I use local copies instead of CDNs myself. That and I prefer not to rely on an external resource unless I have to - it is an extra possible point of failure. The extra bandwidth use is insignificant from a hosting point of view and if you have caching directives set properly it'll only affect your users on first access (and you can often minimise that effect with careful lazy loading). But CDNs are an unavoidable consideration because every other man/woman/other and their dog seem to disagree.
> And who decides which CDNs are major, and/or better or more secure?
A thorny point. I would only include official locations of significant projects like code.jquery.com rather than anything more generic. I wouldn't even exclude ajax.googleapis.com from the "nothing generic" rule.
Happy we mostly agree. Should've been more elaborate, sorry. I sometimes trade off elaboration for brevity and/or laconicism, which causes misunderstandings and off-topic threads.
With regards to CDN, I guess the best option is to have a "standard library" for web, where the browsers provide a standard selection of javascript libraries, jquery, react (I really don't know what this last one is) and the like, and bootstrap and stuff, so that these need not be downloaded, and we can be sure that our copies are mostly secure (audited, tested) and that there's no real single point of failure.
There's still a who decides problem with this approach, but at least I won't be able to steal millions of session cookies should I manage to tamper a single JS file on some domain. Tho I'm not a security person, so it's possible that I'm telling useless crap.
No, that is definitely a valid security concern if copies of code on CDNs are compromised. Though once you have code injected into something like that you can pretty directly do worse than take session cookies.
One possibility would be to have everything signed and include the fingerprint with the <script> tag. That way you could safely read jquery.version.js from anywhere and be as sure it is the real thing as if you'd picked it up from jquery.com. That would in fact remove the need for a CDN - one that copy has been ready from my site and verified there would be no need to read it from your site, so every site that uses the signed version essentially becomes part of a global communal CDN. Of course then you have the hassle of certificate management (how do I trust the signature on that file?). The current infrastructure used for SSL certificates, for all its faults, would suffice, but getting library maintainers to use it might be a struggle.
On further thought: in fact a digital signature may not be needed. Just a hash (and not even a salted one) using a sufficiently provably secure function may be adequate, as already provided by many download sites for verifying the absence of transmission errors, removing the need for any signature/certificate jiggery pokery.
Which is bad if them notes are not ornaments only. So there should be some fallback. I guess a good approach would be to collect the content from some p.marginnote elements which would be hidden if JS is present and left intact if not. So, like
<a href='#' mnref='gcc'>GCC</a>
...
<p class='marginnote' mnname='gcc'>The GNU Compiler Collection</p>
With JS, they'd become margin notes, whithout it, they'd render as plain footnotes.
It's compatible with the W3C recommended idiom for footnotes[2], is accessible without JavaScript, and you can still use `.marginnote` to provide CSS styling.
Sure, but as the README.md states "adds notes to the margin with the text provided in HTML attributes" it's presumably left up to the user how else they display the data if they want it to be visible for people who disable JS. This library is a progressive enhancement. It's very much the right way to do web dev in my opinion.
It's almost the right way -- somewhat better would be to do what one of the above comments say, to add the notes as footnotes using POSH. Then the javascript can rewrite the footnotes into hide/show marginal notes with the same appearance and user interface as this library.
So you can tell us: what happens if you have Javascript turned off?
I have sympathy for the "what happens if I'm using a screen reader or other accessibility device" question, not excluding those who need to use assertive technologies where possible is important. geocar's post below suggests what might be a better implementation in that regard, which will support your use case too, but some advanced screen readers might try run the script (to access generated content like Google does for indexing) and then not read the text because said code has hidden it via DOM manipulation, meaning the technique might not work in all cases.
But disabling all javascript and expecting the world to support your preference in everything we produce (you can at least read be core content in this case) feels a bit entitled IMO, along the lines of people/companies (who I deal with in my day job) who use legacy browsers and are upset when that means they can't have shiny new features in the browser based applications that they use (or want to use).
I understand the desire to block all the iffy JS (adverts, particularly adverts that eat CPU cycles and therefore my battery when mobile, tracking, and so on) and I understand that running noscript or similar plugins is too cumbersome in many opinions, but unless you are paying for the content in some way you can't really expect to demand to control how it is delivered to you.
A thought for reducing tracking and such without blocking code used for page functionality: I'd like to see browsers block 3rd party code as an option (as some do for 3rd party cookies), with a whitelist to enable CDNs (possibly with the major CDNs on the whitelist by default). That would still allow iffy code if it is served from the same site (by design or because it has been hacked) so isn't perfect, but it might be a good compromise.