[gkya]

I disable javascript for two reasons: I do not want to download megabytes of useless scripts everyday dozens of times, and I do not want to allow strangers run arbitrary Turing-complete code on my computer, even on a restricted platform like the browser. Thus, I use xombrero + very strict whitelisting. I do not want the world to conform to me, I just conform selectively. I know the consequences of being a NoJS surfer, I just live with it, and don't complain. I even have chromium installed for edge cases.

And here I try to make some criticism of the posted work, and constructively. I think coding defensively for the noscript case is a good, important practise, even if the chosen remedy is to show up a "please enable JS" message. And then there's the case of printing the page, the read-it-later things, archival, etc... I can't run JS on paper, or on PDFs, right? But the WWW is ephemeral, and if something is important, I have to archive. And people have disablities, how would margin notes be readable with say 5x zoom? How will a disabled person get to read the popup margin note if he can't even move the mouse to hover the anchor tag? One may well say that disabled people are not worthy of seeing their content, and however disgusting may it sound they've the right to say so, but the OP may be open to such suggestions for inclusivity and improvement, and I suggest.

I think the JS CDNs are the most stupid things on the world. It is a virus vector. Hack one CDN, and you'll get to run your code on maybe millions of websites. And who decides which CDNs are major, and/or better or more secure?

[dspillett]

> I do not want the world to conform to me, I just conform selectively.

A healthy attitude.

> I know the consequences of being a NoJS surfer, I just live with it, and don't complain.

I'm a bit more open with JS, though I've completely blocked flash for years. Any site that doesn't work just, well, doesn't work - I can always try others.

> And here I try to make some criticism of the posted work, and constructively.

I may have misread your short message as being much more "snarky" than you intended, in which case I apologise for my knee jerking in reaction.

> I think the JS CDNs are the most stupid things on the world. Hack one CDN, and you'll get to run your code on maybe millions of websites

Good point, and why I use local copies instead of CDNs myself. That and I prefer not to rely on an external resource unless I have to - it is an extra possible point of failure. The extra bandwidth use is insignificant from a hosting point of view and if you have caching directives set properly it'll only affect your users on first access (and you can often minimise that effect with careful lazy loading). But CDNs are an unavoidable consideration because every other man/woman/other and their dog seem to disagree.

> And who decides which CDNs are major, and/or better or more secure?

A thorny point. I would only include official locations of significant projects like code.jquery.com rather than anything more generic. I wouldn't even exclude ajax.googleapis.com from the "nothing generic" rule.

[gkya]

Happy we mostly agree. Should've been more elaborate, sorry. I sometimes trade off elaboration for brevity and/or laconicism, which causes misunderstandings and off-topic threads.

With regards to CDN, I guess the best option is to have a "standard library" for web, where the browsers provide a standard selection of javascript libraries, jquery, react (I really don't know what this last one is) and the like, and bootstrap and stuff, so that these need not be downloaded, and we can be sure that our copies are mostly secure (audited, tested) and that there's no real single point of failure.

There's still a who decides problem with this approach, but at least I won't be able to steal millions of session cookies should I manage to tamper a single JS file on some domain. Tho I'm not a security person, so it's possible that I'm telling useless crap.

[dspillett]

No, that is definitely a valid security concern if copies of code on CDNs are compromised. Though once you have code injected into something like that you can pretty directly do worse than take session cookies.

One possibility would be to have everything signed and include the fingerprint with the <script> tag. That way you could safely read jquery.version.js from anywhere and be as sure it is the real thing as if you'd picked it up from jquery.com. That would in fact remove the need for a CDN - one that copy has been ready from my site and verified there would be no need to read it from your site, so every site that uses the signed version essentially becomes part of a global communal CDN. Of course then you have the hassle of certificate management (how do I trust the signature on that file?). The current infrastructure used for SSL certificates, for all its faults, would suffice, but getting library maintainers to use it might be a struggle.

On further thought: in fact a digital signature may not be needed. Just a hash (and not even a salted one) using a sufficiently provably secure function may be adequate, as already provided by many download sites for verifying the absence of transmission errors, removing the need for any signature/certificate jiggery pokery.