That's a bit of an exaggeration. JavaScript is strongly sandboxed and has a pretty good permissions system. The only malicious things it can really do are 1) based on cookies or 2) crypto mining.
Personally I think it's unreasonable to expect today's sites to work without JavaScript completely. The real benefits of using it sparingly are:
- Pages load faster
- Pages are more responsive
- Applications are less stateful and call out to systems that have a larger number of eyes on them, making them less fragile and lowering maintenance complexity
3) Fingerprinting and tracking in general are heavily javascript-focused. Less common in practice (I assume), but still possible, are 4) Rowhammer or Spectre/Meltdown style attacks that break out of the permission system. Finally, there's general trickery, manipulation, and malware, like trying to embed a frame from Facebook and steal user credentials or so on (I'm fuzzy on these sorts of attacks, not an expert).
3) Right - and I guess "fingerprinting" goes slightly beyond cookies - but when people say "execute arbitrary code" they typically imply something has free-reign, which JavaScript generally doesn't.
4) True, although it's my understanding that the exploits are hard to implement, doubly-so from an abstracted layer like JavaScript.
> trickery, manipulation...like trying to embed a frame from Facebook and steal user credentials or so on
This falls under "cookies-based", and I'm pretty sure no JavaScript is necessary for these kinds of attacks.
The microarchitectural side-channel attacks that have received a lot of attention lately really challenge the idea of a "sandbox".
Also the poster said that webpages shouldn't be blank without having, not that they should be fully functional. I think it's reasonable to expect some function without javascript.
I am split: web pages can be enhanced with JS, but webpage mostly shouldn't need them (exception: some data visualization does benefit from being able to dynamically change values).
Web apps on the other hand, probably do need them. I use newsblur and definitely enjoy the shortcuts.
That's a bit of an exaggeration. JavaScript is strongly sandboxed and has a pretty good permissions system. The only malicious things it can really do are 1) based on cookies or 2) crypto mining.
Personally I think it's unreasonable to expect today's sites to work without JavaScript completely. The real benefits of using it sparingly are:
- Pages load faster
- Pages are more responsive
- Applications are less stateful and call out to systems that have a larger number of eyes on them, making them less fragile and lowering maintenance complexity
Minimalism is a virtue in any programming context