Consumer Rights Wiki

JavaScript: Difference between revisions

← Older edit
VisualWikitext
Rudxain (talk | contribs)
confirmed
533 edits
Rudxain (talk | contribs)
confirmed
533 edits
m swap OJSF & ECMA, again, because this is JS not ES
 
(4 intermediate revisions by the same user not shown)
Line 5: Line 5:
|InProduction=Yes
|InProduction=Yes
|Category=Software
|Category=Software
|Website=https://tc39.es/ecma262/multipage/,https://openjsf.org/
|Website=https://openjsf.org/,https://tc39.es/ecma262/multipage/
|Description=A high-level programming language that's also the "lingua franca of the web"
|Description=A high-level programming language that's also the "lingua franca of the web"
|Logo=JavaScript-logo.png}}
|Logo=JavaScript-logo.png}}
Line 18: Line 18:
*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].
*'''Lack of transparency''': To optimize network bandwidth, JS code is typically served in [[wikipedia:Minification_(programming)|minified]] form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly [[wikipedia:Source-available_software|available]], which is typically the case of [[wikipedia:Proprietary_software|proprietary software]].
*'''Excessive tracking''': JS is much more capable than HTML and CSS<!-- See "CSS Exfil": https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense/ --> '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |access-date=2026-03-19 |website=Am I Unique ?}}</ref>
*'''Excessive tracking''': JS is much more capable than HTML and CSS<!-- See "CSS Exfil": https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense/ --> '''combined''' to track user behavior.<ref>https://clickclickclick.click/</ref> JS can communicate with almost any server (only limited by [[wikipedia:Cross-origin_resource_sharing|CORS]]) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a [[Device fingerprint|fingerprint of the device]], user, or both.<ref>https://privacycheck.sec.lrz.de/</ref><ref>https://abrahamjuliot.github.io/creepjs</ref><ref>https://www.deviceinfo.me/</ref><ref>{{Cite web |title=Learn how identifiable you are on the Internet |url=https://www.amiunique.org/ |access-date=2026-03-19 |website=Am I Unique ?}}</ref>
*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref>{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=2026-03-16 |access-date=2026-03-19 |website=Kryogenix Consulting}}</ref><!-- We need another citation here. The current one is relevant, but doesn't cite anyone who assumes JS is portable. Ideally, it should cite an entity using that quote as an excuse to add JS everywhere --> John Gruber says that JS shouldn't exist;<ref>{{Cite web |last=Gruber |first=John |date=2017-06-22 |title=Gizmodo Investigation Exposes Websites Collecting Form Data Before You Hit 'Submit' |url=https://daringfireball.net/linked/2017/06/22/navistone-form-data |url-status=live |archive-url=https://web.archive.org/web/20260319180650/https://daringfireball.net/linked/2017/06/22/navistone-form-data |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref><ref>{{Cite web |last=Gruber |first=John |date=2017-06-27 |title=Using Today's Web Without JavaScript |url=https://daringfireball.net/linked/2017/06/27/web-without-javascript |url-status=live |archive-url=https://web.archive.org/web/20260319180612/https://daringfireball.net/linked/2017/06/27/web-without-javascript |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref> One way that would work is by turning JS into an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]] that the user willingly installs.<!-- This proposal is just to sugarcoat John's bold/"based" opinion, without putting words in his mouth. I'm not sure how else to reword this -->
*'''Market control''': JS is built into almost every web-browser and [[wikipedia:User_agent|user-agent]] (UA), including "light-weight" ones (such as [[wikipedia:W3m|w3m]]), incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability".<ref>{{Cite web |title=Everyone has JavaScript, right? |url=https://www.kryogenix.org/code/browser/everyonehasjs |url-status=live |archive-url=https://web.archive.org/web/20260316024516/https://www.kryogenix.org/code/browser/everyonehasjs.html |archive-date=2026-03-16 |access-date=2026-03-19 |website=Kryogenix Consulting}}</ref><!-- We need another citation here. The current one is relevant, but doesn't cite anyone who assumes JS is portable. Ideally, it should cite an entity using that quote as an excuse to add JS everywhere --> John Gruber says that JS shouldn't be part of browsers;<ref>{{Cite web |last=Gruber |first=John |date=2017-06-22 |title=Gizmodo Investigation Exposes Websites Collecting Form Data Before You Hit 'Submit' |url=https://daringfireball.net/linked/2017/06/22/navistone-form-data |url-status=live |archive-url=https://web.archive.org/web/20260319180650/https://daringfireball.net/linked/2017/06/22/navistone-form-data |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref><ref>{{Cite web |last=Gruber |first=John |date=2017-06-27 |title=Using Today's Web Without JavaScript |url=https://daringfireball.net/linked/2017/06/27/web-without-javascript |url-status=live |archive-url=https://web.archive.org/web/20260319180612/https://daringfireball.net/linked/2017/06/27/web-without-javascript |archive-date=2026-03-19 |access-date=2026-03-20 |website=Daring Fireball}}</ref> one way that would work is by turning JS into an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]] that the user willingly installs.<!-- This proposal is just to sugarcoat John's bold/"based" opinion, without putting words in his mouth. I'm not sure how else to reword this -->
*'''Security risks''': It is well-known that JS is poorly-designed,<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://wiki.theory.org/YourLanguageSucks#JavaScript_sucks_because</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> even [[wikipedia:Ecma_International|tc39]] acknowledges that{{Citation needed}}<!-- They do improve (and complicate) it every year, but the fact that `eval` isn't deprecated implies they don't care that much about improving the language -->. This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that ES is [[wikipedia:Turing_completeness|Turing-complete]]<!-- Not typo. ECMAScript alone is TC. No need for extensions --> (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]), makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].
*'''Security risks''': It is well-known that JS is poorly-designed,<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://wiki.theory.org/YourLanguageSucks#JavaScript_sucks_because</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> even [[wikipedia:Ecma_International|tc39]] acknowledges that{{Citation needed}}<!-- They do improve (and complicate) it every year, but the fact that `eval` isn't deprecated implies they don't care that much about improving the language -->. This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that ES is [[wikipedia:Turing_completeness|Turing-complete]]<!-- Not typo. ECMAScript alone is TC. No need for extensions --> (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]), makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].


Line 39: Line 39:
Expanding on the security risks, these are the most common vulnerabilities found in JS code:
Expanding on the security risks, these are the most common vulnerabilities found in JS code:
*[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate
*[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate
*[[wikipedia:Arbitrary_code_execution|Arbitrary code execution]] and [[wikipedia:Code_injection|code injection]]. Typically caused by <code>[https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval eval]</code> (part of the ES spec), but there are Web APIs (such as <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setTimeout setTimeout]</code> and <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setInterval setInterval]</code>) that can be misused as well.
*[[wikipedia:Arbitrary_code_execution|Arbitrary code execution]] and [[wikipedia:Code_injection|code injection]]. Typically caused by <code>[https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval eval]</code> (part of ES), but there are Web APIs (such as <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setTimeout setTimeout]</code> and <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setInterval setInterval]</code>) that can be misused as well.
*Remote code execution. This is used by hackers and crackers to build [[wikipedia:Botnet|bot-nets]] for [[wikipedia:Ddos#Distributed_DoS|DDoS]] or [[wikipedia:Cryptocurrency|crypto]]-mining, but it's mostly used for spyware since it can hide more easily.
*Remote code execution. This is used by hackers and crackers to build [[wikipedia:Botnet|bot-nets]] for [[wikipedia:Ddos#Distributed_DoS|DDoS]] or [[wikipedia:Cryptocurrency|crypto]]-mining, but it's mostly used for spyware since it can hide more easily.
Browser-engine developers (such as [[Google]] and [[Mozilla]]) not only feel compelled, but are financially incentivized to optimize JS to its limits. This leads to complex code-bases that are harder to verify for correctness. Browser vendors mitigate this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape.<ref>{{Cite web |last=Norman |first=Johnathan |date=2021-08-04 |title=Super Duper Secure Mode |url=https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ |url-status=live |archive-url=https://web.archive.org/web/20260218110912/https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode |archive-date=2026-02-18 |access-date=2026-03-19 |website=Microsoft Browser Vulnerability Research}}</ref>
Browser-engine developers (such as [[Google]] and [[Mozilla]]) not only feel compelled, but are financially incentivized to optimize JS to its limits. This leads to complex code-bases that are harder to verify for correctness. Browser vendors mitigate this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape.<ref>{{Cite web |last=Norman |first=Johnathan |date=2021-08-04 |title=Super Duper Secure Mode |url=https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode/ |url-status=live |archive-url=https://web.archive.org/web/20260218110912/https://microsoftedge.github.io/edgevr/posts/Super-Duper-Secure-Mode |archive-date=2026-02-18 |access-date=2026-03-19 |website=Microsoft Browser Vulnerability Research}}</ref>
Line 59: Line 59:
*[[X Corp|Twitter]]. It also used to work without it, but some time after being bought by [[Elon Musk]], it became mandatory.{{Citation needed}}
*[[X Corp|Twitter]]. It also used to work without it, but some time after being bought by [[Elon Musk]], it became mandatory.{{Citation needed}}
*[[wikipedia:Bluesky|Bluesky]]:
*[[wikipedia:Bluesky|Bluesky]]:
**The web app (<code>bsky.app</code>) shows this message if JS is disabled<blockquote>This is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is.</blockquote>which is questionable at best
**The web app (<code>bsky.app</code>) shows this message if JS is disabled<blockquote>This is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is.</blockquote>which is questionable
**Its legal docs ([https://bsky.social/about/support/tos ToS], [https://bsky.social/about/support/privacy-policy PP], [https://bsky.social/about/support/community-guidelines CG]) need JS to be viewed by humans, however this seems more of an oversight than deliberate
**Its legal docs ([https://bsky.social/about/support/tos ToS], [https://bsky.social/about/support/privacy-policy PP], [https://bsky.social/about/support/community-guidelines CG]) need JS to be viewed by humans, however this seems more of an oversight than deliberate
*[[Discord]]. While its instant-messaging functionality legitimately requires JS, they refuse to let the user change their account settings (including security and privacy ones) unless JS is enabled.
*[[Discord]]. While its instant-messaging functionality legitimately requires JS, they refuse to let the user change their account settings (including security and privacy ones) unless JS is enabled.
Line 70: Line 70:
*[https://libredirect.github.io/faq.html LibRedirect explaining why it exists], and how [[Google Chrome]]'s MV3 limits it
*[https://libredirect.github.io/faq.html LibRedirect explaining why it exists], and how [[Google Chrome]]'s MV3 limits it
*Google being anti-competitive towards [[Firefox]]: https://github.com/uBlockOrigin/uBlock-issues/discussions/3240
*Google being anti-competitive towards [[Firefox]]: https://github.com/uBlockOrigin/uBlock-issues/discussions/3240
*Instagram refusing to serve content to <code>noscript</code> users, and deliberately nagging them to [[Forced app download|install the app]] or [[Forced account|login]]: https://github.com/Rudxain/uBO-rules/pull/9
*[https://github.com/iam-py-test/my_filters_001/blob/fc5f61eff0b0d821cb426bea76b18937072bc390/no-js-warnings.txt Websites that nag users to enable JS, even when it provides negligible value]
*[https://github.com/iam-py-test/my_filters_001/blob/fc5f61eff0b0d821cb426bea76b18937072bc390/no-js-warnings.txt Websites that nag users to enable JS, even when it provides negligible value]
*Discord being extremely bloated to the point of crashing when opening Developer-tools: https://github.com/Rudxain/uBO-rules/blob/42220bd4f80052ee15136dff7269df19529c43ec/rx.ubo#L3-L19. This is not the fault of bloated JS, it's likely a bloated DOM-tree, but discord only bloats the DOM when JS is enabled.
*Discord being extremely bloated to the point of crashing when opening Developer-tools: https://github.com/Rudxain/uBO-rules/blob/42220bd4f80052ee15136dff7269df19529c43ec/rx.ubo#L3-L19. This is not the fault of bloated JS, it's likely a bloated DOM-tree, but discord only bloats the DOM when JS is enabled.
Retrieved from "https://mirror.consumerrights.wiki/w/JavaScript"