[manigandham]

That is absolutely not the only reason. Digital ads work entirely different from the TV medium and its more than "a little extra cash".

No single publisher today really has the power to change much, no matter how big they are. The issue likes with adtech (like Google) and advertisers.

[mikeash]

Digital ads could work where every single one is vetted by people before it’s served to any users. There is no reason it can’t work this way, other than it being a lot cheaper to skip that step.

[manigandham]

All creatives (and the root templates of dynamically construted ones) are actually audited on the advertiser-facing platforms before they ever get to the publisher.

Unfortunately running javascript means these ads can do anything at any time and change into malware. Other than adding some technical guardrails, the best practice would be to ban bad actors (of which many are known and usually the same shady people) but many large adtech companies look the other way because it makes money and they have no consequences.

Malware and adfraud is primarily a business problem, not a technical one.

[mikeash]

So, don't allow them to run JavaScript. That's not necessary, just convenient.

[manigandham]

See my other comment for how it all works: https://news.ycombinator.com/item?id=20290673

It's not that simple. There are many layers in the supply chain that currently requires JS. Publishers can't disable the JS and they can't demand JS-free creatives either.

[mikeash]

Of course it’s that simple. Don’t let ads run JS. Done.

You’re saying that doing this would drastically decrease ad revenue. Which is what I’m saying too: it’s about money, not necessity.

Would a site like SO be unable to survive without ads that run arbitrary JS? I don’t know. Even if the answer is that they must do this to survive, it’s still insane that content companies let randos inject arbitrary code into their pages. If this is so entrenched in the industry that there’s no way around it, that just means the industry is insane.

[manigandham]

Money is a necessity, that's how SO exists, and it wouldn't sustain its current size if it required JS-free network campaigns or tried to sell all ad space directly.

Simple doesn't mean it's easy or realistic. Yes, adtech has major problems but they're being slowly worked on and won't change overnight. This applies to any other industry where you think can just walk in and solve everything if everyone just did X. Reality doesn't work that way.

[aerique]

Well, my browser hasn't been running JS for ages and more people are going to do that. If the business isn't going to fix it, users will.

And yes, I'm enjoying my 90's internet and enable JS when it is needed (rarely) for specific domains.

[pushpop]

Yet adverts on porn sites do operate as per our wish list:

* adverts are vetted by a human

* adverts are not allowed to inject JavaScript.

There have been a few interesting blog posts from businesses outside of the adult entertainment industry where they discuss just how work is involved in getting an advert approved on adult sites.

It’s a sad state of affairs when an adblocker is less required on porn sites than it is on Stack Overflow.

[manigandham]

All major ad networks audit every single creative. The problem is javascript can change at anytime, and the publisher is the most exposed and also the most removed to be able to discover and mitigate. There have been some movements to whitelist the JS providers but volume is incentivized so most networks look the other way for now.

Adult ads are definitely not better and are served by even looser networks that allow anything. That industry has pioneered things like popunders, clickjacking, and monetizing every possible action on a window while serving as the primary vector for malware and browser bitcoin mining. I'm not sure what blog posts you've read but the only strict standards they would have is on getting paid.

[pushpop]

Like everything, it depends on the sites in question. Disreputable adult sites aren’t going to be any better nor worse than disreputable sites of any other content. However adult sites run as a reputable business - of which there are many - most certainly do follow the points I described earlier.

What you’re effectively doing is looking at Source Forge and then arguing that Github, Gitlab and Bitbucket are all probably just as bad.