[csande17]

> I don't see a world where Javascript vanishes and privacy gets any better.

If JavaScript vanished, it would accomplish one huge win for privacy: it would split the "reading content and submitting forms" part of the Web out from the "powerful applications" part.

It is cool that you can use JavaScript to build a collaborative 3D modeling program. It might even be better for privacy than a native app. But it is less cool that Facebook and every news site you read gets access to the exact same capabilities and attack surface as the 3D modeling program.

And personally, I think ordering pizza would land on the "content and forms" side of the divide.

[kazinator]

Absolutely. What is Javascript? It's andom pages all over the world telling your computer to download code from other random pages all over the world and execute it. Executable data is one of the first no-no-s of security.

A native app collaborative 3D program could be worse for privacy if it were closed source. If it were open source, then no way. For one thing, unlike a Javascripted one, it wouldn't update behind your back. Its code wouldn't be obfuscated, and wouldn't be dynamically pieced together from the four corners of the world.

[danShumway]

I think GP is making a reasonable argument about capabilities, and that's something that we should be pushing harder for both on the web and on native. I also think that's something we are actively looking at on the web, we're just looking at it from a feature/platform perspective instead of at a language level.

On the other hand, I don't think the Open Source argument holds at all. This is pushing for something that just isn't going to happen. Now we need to not only get rid of Javascript, we also need to convince Facebook to Open Source its native app?

I run mostly Open Source native apps, but the only way I can do that is because web-apps take the place of many native apps I would otherwise need to install on my phone or computer.

> For one thing, unlike a Javascripted one, it wouldn't update behind your back.

Most people's phone apps are set to auto-update, and most PC apps have the ability to download and execute additional code on the fly. I like to think I run a pretty tight Linux system, but all of my programs have write permissions to their own personal install directories.

It sounds to me like your problem isn't so much Javascript as it is 3rd-party requests/assets and mutable web-pages. These are also interesting problems to talk about, but they're largely unrelated to Javascript. It would maybe be helpful to see the web move more towards a DAT/IPFS model where webpages could be versioned.

On the Javascript side of things, all of this boils down to the security idea the users should only run code that they trust. Users have broadly rejected that idea -- both on the web and on native platforms like phones. They want the ability to safely run untrusted and semi-trusted code.

We can argue over whether that's a reasonable thing for them to ask, but that's the position we're in. The web is trying to figure out how to let you run untrusted code.