[cesarb]

Given the recently disclosed vulnerabilities, instead of a cryptocurrency miner, it could be a Spectre exploit trying to scan and exfiltrate data from the computer's memory. We might be now at the point where disabling all Javascript for non-HTTPS pages is a good default.

[freeone3000]

Why do HTTPS pages get a pass? Between CDNs and ad networks, there's a ton of code out there. At some point, we decided that a magical protective box could make it okay for random people on the internet to run code on our machines. We keep finding this premise to be flawed, with Applets, and with Flash, and now with Javascript, and we always say "oh, if only we had a better protective box, it would have prevented this specific form of attack". Maybe the premise is flawed. Maybe no box is strong enough. Maybe we should stop running code from websites.

[mr_toad]

> Maybe we should stop running code from websites.

Which would mean that even something as simple as an up-vote on a comment would require a full page refresh from the server. The lag would probably kill most social media.

You could be on to something there.

[dmichulke]

> as simple as an up-vote on a comment would require a full page refresh

There are certainly ways to solve this declaratively.

[ateesdalejr]

One of them being making all form submits asynchronous and not reload the entire page. Or the server sends only the bytes that it changes back.