[Amigo5862]

> In contrast, JavaScript is a core part of the web and is executed within the browser in a sandboxed environment. This means that JavaScript operates with limited access to the system's resources, reducing the risk of system-level security breaches.

Flash (and probably ActiveX) were also executed in a "sandboxed environment", including "limited access to the system's resources". All 3 have (or well, had, in the case of Flash and ActiveX) regular vulnerabilities - including JavaScript. JavaScript is not any better than Flash or ActiveX and I really don't understand why people pretend it is.

BTW, Flash was definitely a core part of the web in its heyday, too.

ETA: Oh, and Java was also executed in a sandbox (and a virtual machine!) and had plenty of vulnerabilities back when applets were a thing.

At least with Flash, ActiveX, and Java you could choose not to install them and most sites would continue working. For JavaScript you have to install (and trust) some third party extension to block it and then no sites work...

[acdha]

Flash was never a core part of the web. That was the problem: it was loosely bolted onto browsers but the company behind it didn’t understand or care about the web, spent their time inventing random new things for demos trying to get you to build on top of their platform INSTEAD of the web, and was never willing to spend time on support.

> JavaScript is not any better than Flash or ActiveX and I really don't understand why people pretend it is.

Because it is. Both of those were hard to use without crashing the browser - the primary selling point for Chrome originally was that it used process sandboxing and so when Flash crashed you wouldn’t lose every open window - whereas what we’re seeing now are complex attacks requiring considerable investment finding ways to get around the layers of precautions. It’s like saying that there’s no difference between leaving your money under the mattress and putting it in the bank because banks still get robbed.

[cesarb]

> Flash (and probably ActiveX) were also executed in a "sandboxed environment", including "limited access to the system's resources".

IIRC, the main issue with ActiveX was that it did not execute in a sandboxed environment, unlike Flash and Java. With ActiveX, all you had was a cryptographic signature saying it came from a trusted publisher; past that, the full Win32 API was available, with complete access to the operating system.

[Amigo5862]

That wouldn't particularly surprise me. I never used ActiveX, so I can't really speak to that one. But then, there also weren't many (public) websites that I ever ran into that wanted to use it.

[josephg]

> But then, there also weren't many (public) websites that I ever ran into that wanted to use it.

As I understand it there were weird pockets where organisations went hard in to activeX. IIRC it was used heavily by the South Korean government, and a lot of internal corporate intranet projects for all sorts of things.

That obviously caused massive problems a few years later when Microsoft tried to discontinue activex and make IE/Edge a normal web browser.

[technion]

As someone who still has to support users of several ActiveX apps, turning off the "block unsigned ActiveX" setting goes with the territory of using it.