| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by jefftk 2066 days ago
	Unless you have very few libraries and always force everyone to the latest version, it's still quite practical to abuse this for tracking. For example, there are sites running Dojo on at least 86 versions [1], all of which are pretty uncommon. If one site causes you to load one of these versions, and another site checks which one you have in cache, that's >6 bits of information. Combine this with all the other libraries and versions, and you can easily get enough bits to uniquely identify someone. It's even worse if one site can load multiple versions of the same library: that turns 86 versions into 86 bits. [1] 1.13.0, 1.12.3, 1.12.2, 1.12.1, 1.11.5, 1.11.4, 1.11.3, 1.11.2, 1.11.1, 1.10.9, 1.10.8, 1.10.7, 1.10.6, 1.10.5, 1.10.4, 1.10.3, 1.10.2, 1.10.1, 1.10.0, 1.9.11, 1.9.10, 1.9.9, 1.9.8, 1.9.7, 1.9.6, 1.9.5, 1.9.4, 1.9.3, 1.9.2, 1.9.1, 1.9.0, 1.8.14, 1.8.13, 1.8.12, 1.8.11, 1.8.10, 1.8.9, 1.8.8, 1.8.7, 1.8.6, 1.8.5, 1.8.4, 1.8.3, 1.8.2, 1.8.1, 1.8.0, 1.7.12, 1.7.11, 1.7.10, 1.7.9, 1.7.8, 1.7.7, 1.7.6, 1.7.5, 1.7.4, 1.7.3, 1.7.2, 1.7.1, 1.7.0, 1.6.5, 1.6.4, 1.6.3, 1.6.2, 1.6.1, 1.6.0, 1.5.6, 1.5.5, 1.5.4, 1.5.3, 1.5.2, 1.5.1, 1.5.0, 1.4.8, 1.4.7, 1.4.6, 1.4.5, 1.4.4, 1.4.3, 1.4.1, 1.4.0, 1.3.2, 1.3.1, 1.3.0, 1.2.3, 1.2.0, 1.1.1

1 comments

dathinab 2066 days ago

Yes beside some ideas about e.g. ipfs + emulating network weather on all accesses (instead of just cached ones) the real annoyance is that there is no sane standardized Js standard library.

If we could we should make following best practice:

- Only use react and similar if you write a webapp, do not use such tools for websites. If your website is so complex that you need it you are doing something wrong.

- Have a js standard library which provides all the common tooling for the remaining non-webapp js use case.

- Make it have one version each year (or half year), browsers will preload it when they ship updates and keep the last 10 or so versions around.

- Have a small standardized JS snippets which detects old browsers which are not evergreen (like IE) and loads a polyfill.

Sure there are some requirements to get there. E.g. making it reasonable easy to have proper complex layouts in a reactive fashion without much JS or insane complex CSS. (Which we can do by now due to css grid, yay).

jefftk 2066 days ago

If you're relying on browser updates, then why not just work on getting whatever JS improvements you want into browsers directly?

dathinab 2064 days ago

- Back&Forward compatibility by Versioning and shipping multiple versions with the same browser

- Easier prototyping and experimental usage of pre-releases

- Backward compatibility with older browsers on the first view versions at least