onp...@riseup.net wrote:
I don't think any client-side use of JavaScript code for Web pages is
currently acceptable due to the way browsers behave. I wrote about that here:
https://onpon4.github.io/other/kill-js/
I'm convinced of the same points -- there is no practical means to leverage
the freedoms of free software for browser-based Javascript (JS) in any
browser, not even free software browsers right now.
I react by not running any JS and avoiding websites that require JS
whenever possible.
This limits what I can do on the web, to be sure, but it also means the
latest insecurities, monitoring systems, and other malware delivered via
websites are less likely to affect my system.
If one is designing a website it's very important that the site:
- host resources (fonts, graphics, movies, documents, etc.) locally, not
refer to resources on other sites whenever possible.
- host everything behind https, and redirect http to the same request via
https.
- use form submission to accept input and HTML+CSS to do markup and style
(CSS, as far as I know, isn't capable of executing anything client-side, so
it's safer to do animations and other stylistic changes in CSS instead of JS).
I'm all for running a browser in a restricted environment so no browser
code can eat up too much CPU time, memory, can't read/write anything
(including browser-maintained state) outside a specific directory I set up
so I can control what the JS has access to. But that's not easy to set up
and that's not the default setup for most OSes.
Such a setup is not what ordinary users using default configurations with
free software browsers get. Right now this is pretty leading-edge stuff
being done with some OSes (perhaps Joanna Rutkowska's Qubes OS, which I
understand to be a GNU/Linux system, can do this?). There is much to be
done addressing real-world problems with this approach, but this approach
has some promising results.
