|
|
|
|
|
|
by speedplane
2473 days ago
|
|
|
> I've been getting more aggressive about disabling Javascript by default What is the opposition to javascript exactly? Is it a privacy matter, you want to block all ad trackers? Do ad blocker plugins not suffice? Or are you concerned about security vulnerabilities with javascript? Or is there something else I'm not getting? |
|
|
Where privacy is concerned, we're currently losing the war on fingerprinting. I don't think we're going to lose the war on fingerprinting in the long run, but there's just a lot of stuff we need to do with the language and it's going to take a little while before we get to a point where I feel comfortable saying that arbitrary Javascript can't identify my computer. It's just something we ignored for a long time and we have a long ways to go.
UBlock Origin is really good, but privacy is a continuum. So for a non-technical person, I'd install UBlock Origin and call it a day. For someone who's familiar with the web, I'd install UMatrix with the default settings. For someone who's really familiar with the web, and who really wants to be safe, I'd install UMatrix and switch a few default settings (disabling cookies by default and disabling Javascript by default).
Each step there will make you slightly safer, depending on what percentage of malicious code you want to block. Sometimes trackers are served as 1st-party requests.
I don't have any opposition to Javascript in general; there are more than a few native apps that I wish were just web apps, because the web a better sandbox (and frankly a better platform) than most native environments. It's just a little complicated because we're currently in the middle of a fight over how the web should work.
So it's not an indefinite, "no web-code ever" position. It's "be more careful than usual, because an abnormally high number of bad actors are focused on this platform, and not everything is safe-by-default." Ignoring the debate over site-breakage, the changes here around CSRF should be a decent step in that direction.
On a less practical note, it's also because I can. I really like Javascript, a lot. I also really like separation of concerns, and I think the separation between content and functionality is a really good architecture decision that people should pay attention to. On a purely aesthetic, emotional level I like that I can load a page without executing JS. Heck, occasionally I'll even turn off CSS. There's very little practical reason for that, other than a kind of irrational, "I like that the web lets me do this, most other platforms don't, and it makes me happy to remind myself I can."
But I would guess most people don't fall into that category, that's probably just me being weird.