The issue you point out is totally valid. However, I would tend to agree that it is not a bug. It feels a lot more like a needed security feature to put on the backlog to implement. Software development is iterative after all, and with JS's initial release the world just settled for "getting it working". Then later has gone back to address various security issues that adding more features has created.
I believe the reason you come off as antagonistic is because you are passionate about a very real danger. But you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now. Browsing the web has been risky for quite a while. Visiting an unknown site that no one has recommended to you is at your own peril. You can easily get viruses, malware, or hacked by doing so. Sites who are actually concerned about security can implement things in such a way to ensure better security. But ultimately the user has the only real choice in the matter.
So the feature request for browsers might be to grade site security based on the employed security features and vulnerabilities, and warn the user when the grade is below a certain threshold. Similar to the TLS warnings. But this kind of feature has a consequence that the barrier to entry in building websites just got a lot higher. Not to mention being pretty hard to implement checks across disparate and unstandardized features which provide a fair grade. But I would love the fact injected ads would probably bring a low score. :)
So anyway, my perspective is that things have to work this way necessarily to work at all for now. And it certainly has benefits... the good as well as the bad have a lower barrier to make web apps. (The barrier is already pretty high nowadays.) Frankly, it will likely take major incidents to catalyze support, standardization, and streamlining of security procedures such that sites could be accurately graded quickly enough to not disrupt the browsing experience. But I say keep fighting the fight to improve the situation. It's worth doing.
Thanks for sharing your opinion but I think we disagree at a very basic level, pretty summarized by this sentence:
But you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now.
I do not think people are aware that any site they visit could send them (but only to them, not to everybody) malicious JavaScript that can enter their private networks, probe and access the services available there.
Nor they are aware that any web site they visit could learn their political or sexual interests by timing the load time of specific third party pages or images (a trivial timing attack to the browser cache) and then blackmail them to extort money (or worse just disclosure them to hurt their reputation).
Moreover I do not think that any Government or company is aware or would accept these sort of risks. A single naive employee using WIFI to read an article like this, could open a breach.
Not to talk about the fact that any CDN could do the same through third party sites.
I do not think people understand or accept all this.
On the other hand, most people would understand a simple browser that ask them to enable JavaScript execution on a per website basis, as they did years ago while enabling Flash or Java applets.
Opt-in JavaScript might hurts some business models that rely on the blind execution of code on your PC, but it would not change the usability of the web too much.
Yes, I think the risks you mention are generally known or at least very unsurprising. But where we really disagree is in how close to reality those risks are. If someone wanted to target me personally and "ruin" my life, they probably could, sure. Even if they didn't use the tools you described, a determined attacker could do so in many other ways. But it makes no sense to live life in fear of conspiracies against single persons. Most (internet) attackers aren't doing that because it does not pay to do so. They want to cast a wide net to snare as many as possible before getting shut down. And if an attacker is targeting a specific person, then the reasons are probably localized to that situation. These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.
Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.
I think it is clear that we are not going to agree. So, the last word is yours if you want to respond further.
Yes, I think the risks you mention are generally known or at least very unsurprising.
Unsurprising to developers. But the world is large, there are many sensibilities, cultures, issues... trust me: for many many people, these are actual threats.
And if an attacker is targeting a specific person, then the reasons are probably localized to that situation.
Sure. Still there are many "localized attacks" that most companies would like to avoid.
These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.
In many place around the world, all people who make Free Speech something useful are "edge cases".
Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.
Many users would execute every JavaScript they can reach anyway.
But trust me, banks' systems will have strong policy about what you can or what you cannot execute.
Also, do not forget that it's not just matter of making JS opt-in.
It would not be enough. It also need to be safer.
I think it is clear that we are not going to agree.
We do not need to. History will judge, with time... ;-)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The issue you point out is totally valid. However, I would tend to agree that it is not a bug. It feels a lot more like a needed security feature to put on the backlog to implement. Software development is iterative after all, and with JS's initial release the world just settled for "getting it working". Then later has gone back to address various security issues that adding more features has created.
I believe the reason you come off as antagonistic is because you are passionate about a very real danger. But you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now. Browsing the web has been risky for quite a while. Visiting an unknown site that no one has recommended to you is at your own peril. You can easily get viruses, malware, or hacked by doing so. Sites who are actually concerned about security can implement things in such a way to ensure better security. But ultimately the user has the only real choice in the matter.
So the feature request for browsers might be to grade site security based on the employed security features and vulnerabilities, and warn the user when the grade is below a certain threshold. Similar to the TLS warnings. But this kind of feature has a consequence that the barrier to entry in building websites just got a lot higher. Not to mention being pretty hard to implement checks across disparate and unstandardized features which provide a fair grade. But I would love the fact injected ads would probably bring a low score. :)
So anyway, my perspective is that things have to work this way necessarily to work at all for now. And it certainly has benefits... the good as well as the bad have a lower barrier to make web apps. (The barrier is already pretty high nowadays.) Frankly, it will likely take major incidents to catalyze support, standardization, and streamlining of security procedures such that sites could be accurately graded quickly enough to not disrupt the browsing experience. But I say keep fighting the fight to improve the situation. It's worth doing.
Thanks for sharing your opinion but I think we disagree at a very basic level, pretty summarized by this sentence:
I do not think people are aware that any site they visit could send them (but only to them, not to everybody) malicious JavaScript that can enter their private networks, probe and access the services available there.
Nor they are aware that any web site they visit could learn their political or sexual interests by timing the load time of specific third party pages or images (a trivial timing attack to the browser cache) and then blackmail them to extort money (or worse just disclosure them to hurt their reputation).
Moreover I do not think that any Government or company is aware or would accept these sort of risks. A single naive employee using WIFI to read an article like this, could open a breach.
Not to talk about the fact that any CDN could do the same through third party sites.
I do not think people understand or accept all this.
On the other hand, most people would understand a simple browser that ask them to enable JavaScript execution on a per website basis, as they did years ago while enabling Flash or Java applets.
Opt-in JavaScript might hurts some business models that rely on the blind execution of code on your PC, but it would not change the usability of the web too much.
It would not break the Web, it would fix it.
Yes, I think the risks you mention are generally known or at least very unsurprising. But where we really disagree is in how close to reality those risks are. If someone wanted to target me personally and "ruin" my life, they probably could, sure. Even if they didn't use the tools you described, a determined attacker could do so in many other ways. But it makes no sense to live life in fear of conspiracies against single persons. Most (internet) attackers aren't doing that because it does not pay to do so. They want to cast a wide net to snare as many as possible before getting shut down. And if an attacker is targeting a specific person, then the reasons are probably localized to that situation. These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.
Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.
I think it is clear that we are not going to agree. So, the last word is yours if you want to respond further.
Unsurprising to developers. But the world is large, there are many sensibilities, cultures, issues... trust me: for many many people, these are actual threats.
Sure. Still there are many "localized attacks" that most companies would like to avoid.
In many place around the world, all people who make Free Speech something useful are "edge cases".
Many users would execute every JavaScript they can reach anyway.
But trust me, banks' systems will have strong policy about what you can or what you cannot execute.
Also, do not forget that it's not just matter of making JS opt-in.
It would not be enough. It also need to be safer.
We do not need to. History will judge, with time... ;-)