| > packaging the Turing completeness into different forms only moves the problem around The solution I proposed doesn't require TC, except in code that needs explicit permission to run. > reduce the attack surface back to something that is decidable You don't need decidability, just trust. A function checked manually and signed by a reputable source is enough. Are internet browsers formally checked? The only aspect that needs to be decidable is composition of signed functions, not the functions themselves, as safety is represented by the signature. building functionality into HTML might be similar, except I'd assume would be more bogged down by consortia. Add the ability to sign JS functions and verify their composition, and you can decide who's signatures to trust. > Server-side apps worked fine before Javascript existed Sure, but did they scale as well? > That only re-creates the current situation on phones where apps ask for everything and refuse to run if you don't grant them permission Maybe, it depends how you design it. I think that should change too. But those environments are currently restricted in ways the internet is not. I'm also far happier for a website to indicate to me that they aren't worth my time by this kind of access refusal. Same thing happening with pay-walled news sites - I'll happily blacklist them. |