A link shouldnt get a pop up but, if running JavaScript had required at least a one-time user approval for each individual script link from the day off it's inception, the web would be a much friendlier place.
Do you really think so? I think in practice, if every website you visited made you click 10-50 pop ups the first time you went to the site, people would start to blindly click without reading, and it would be even easier to slip a malicious pop up request by a user.
While you might want to believe that a user would actually think about what they are accepting, reality is almost all don't. Even the more security minded people among us will start to get numb to the requests. Only the most paranoid would pay attention to all of them, and those people are probably already doing things that would make that sort of pop up redundant.
I think this is a very common trap we fall into, where we want to provide MORE warnings to people and let them use their judgement. However, there is such a thing as 'alert fatigue'.
In California, companies that produce carcinogens took advantage of this aspect of human nature; when California wanted to place warning signs about cancer causing substances, they realized they couldn't win the fight against the warnings. Instead, they fought for MORE warnings; they wanted warning signs for even very slight risk carcinogens. They knew that if the signs were EVERYWHERE, people would stop paying attention to them.
It worked. Basically every building in California has a warning that 'substances known to cause cancer or birth defects are present'. Since every building has the same warning, I have no way of knowing which ones are ACTUALLY dangerous.
No, I don't expect most users would care. Most users wouldn't care if sites could execute native code as root on their machine. I think, if there was a prompt, content providers that cared, even a little bit, about presentation would think real hard before introduction that prompt. The way it works now, providers very rarely think twice about adding it. And I think ad networks, trackers and all the other useless, JS based, user hostile tools of the web, would have a much harder time convincing site owners to drop in a snippet of JS when there were actual consequences for doing so.
However, I don't believe for a second, without some kind of law, punishable by death, a requirement like that would have lasted. It would take only one browser to default "Never prompt for permissions to run JavaScript". Typical users would flock to it (because sites would say they only work with it) and compliant browsers would have to copy to compete. Users ruin everything.
While you might want to believe that a user would actually think about what they are accepting, reality is almost all don't. Even the more security minded people among us will start to get numb to the requests. Only the most paranoid would pay attention to all of them, and those people are probably already doing things that would make that sort of pop up redundant.
I think this is a very common trap we fall into, where we want to provide MORE warnings to people and let them use their judgement. However, there is such a thing as 'alert fatigue'.
In California, companies that produce carcinogens took advantage of this aspect of human nature; when California wanted to place warning signs about cancer causing substances, they realized they couldn't win the fight against the warnings. Instead, they fought for MORE warnings; they wanted warning signs for even very slight risk carcinogens. They knew that if the signs were EVERYWHERE, people would stop paying attention to them.
It worked. Basically every building in California has a warning that 'substances known to cause cancer or birth defects are present'. Since every building has the same warning, I have no way of knowing which ones are ACTUALLY dangerous.