[manigandham]

All creatives (and the root templates of dynamically construted ones) are actually audited on the advertiser-facing platforms before they ever get to the publisher.

Unfortunately running javascript means these ads can do anything at any time and change into malware. Other than adding some technical guardrails, the best practice would be to ban bad actors (of which many are known and usually the same shady people) but many large adtech companies look the other way because it makes money and they have no consequences.

Malware and adfraud is primarily a business problem, not a technical one.

[mikeash]

So, don't allow them to run JavaScript. That's not necessary, just convenient.

[manigandham]

See my other comment for how it all works: https://news.ycombinator.com/item?id=20290673

It's not that simple. There are many layers in the supply chain that currently requires JS. Publishers can't disable the JS and they can't demand JS-free creatives either.

[mikeash]

Of course it’s that simple. Don’t let ads run JS. Done.

You’re saying that doing this would drastically decrease ad revenue. Which is what I’m saying too: it’s about money, not necessity.

Would a site like SO be unable to survive without ads that run arbitrary JS? I don’t know. Even if the answer is that they must do this to survive, it’s still insane that content companies let randos inject arbitrary code into their pages. If this is so entrenched in the industry that there’s no way around it, that just means the industry is insane.

[manigandham]

Money is a necessity, that's how SO exists, and it wouldn't sustain its current size if it required JS-free network campaigns or tried to sell all ad space directly.

Simple doesn't mean it's easy or realistic. Yes, adtech has major problems but they're being slowly worked on and won't change overnight. This applies to any other industry where you think can just walk in and solve everything if everyone just did X. Reality doesn't work that way.

[mikeash]

We know that advertising can work and make money without arbitrary JS. When there’s a clear existence proof, is it really wrong to say that a problem could be solved by not doing the problematic behavior?

Of course reality doesn’t work that way. Ad companies aren’t going to change, because they like money and don’t give a shit about users.

We’re stuck in a local minimum. It’s insane. It could be easily fixed if everyone just stopped doing the insane things. And they won’t stop.

[scarface74]

Maybe the business model of ExpertsExchange where they charged money wasn’t such a bad idea....

[manigandham]

The fact that everyone uses StackOverflow and nobody uses ExpertsExchange seems to say otherwise.

[aerique]

Well, my browser hasn't been running JS for ages and more people are going to do that. If the business isn't going to fix it, users will.

And yes, I'm enjoying my 90's internet and enable JS when it is needed (rarely) for specific domains.