Apart from other points sibling comments have made - the current Web is very much a mush of "trust one site" leads to running code from three, four different domains via CORS and whatnot. My favorite alerts in noscript are people running js from bare cloudfare and s3 domains (do you trust all js publicly available on s3?) (and other cdns) - and also the "secure" amazon stuff like the hn search-box: some random AWS/cloudfront subdomains, a third-party service (algolia) and its accompanying domain for static resources.
It might be convenient and powerful - but secure? With our current huge (in code and complexity) browsers? With the series of bugs in font rendering, image libraries etc?
[ed: autocorrect. Apologies for seemingly calling algolia "third-rate" for a while there!]
"remote-execution-by-default": web browsers execute code that was loaded from an untrusted source somewhere on the internet. Every (ok, most) browsers by default allow any website you visit to execute JavaScript code in your browser.
"same origin" is about the source of that code, only of minor relevance here as long as no working signed code distribution mechanism and infrastructure exists - why not, btw, after all these years?
For communications and general information transmission we do not need remote code execution.
Yes, browsers try to do that in a "safe way" - the "sandboxing" approach has been exercised for many years now, mostly without success. Maybe Qubes OS can be a successful approach to this problem, but we still have too many non-technical problems to solve, as reality shows, so enough time to do more research. Until then: css only should be the default.
CSS gives us a very good way to stop going on with that inacceptable defaults while we fix the first version of the internet.
> the "sandboxing" approach has been exercised for many years now, mostly without success.
My impression is that Javascript has basically been the most successful sandbox ever deployed on a large scale. All vulnerabilities I've seen that escape the sandbox are due to things like Flash.
Does anybody know of any "JS-only" exploits that have happened?
> What do you exactly mean with "remote-execution-by-default"? As far as I know, all browsers have strict "same-origin" policies by default.
Even with the same-origin policy, the default behaviour of a web browser is to execute code it downloads from a remote site (i.e., remote to your computer); as it turns out, this is an utter disaster for security and privacy, turning what is a relatively securable platform (HTML+CSS) into a nightmare.
It is not, today, possible to be secure and private while allowing JavaScript. That's a problem.
It might be convenient and powerful - but secure? With our current huge (in code and complexity) browsers? With the series of bugs in font rendering, image libraries etc?
[ed: autocorrect. Apologies for seemingly calling algolia "third-rate" for a while there!]