Hacker News new | past | comments | ask | show | jobs | submit login

> run arbitrary code on their machine

That's a bit of an exaggeration. JavaScript is strongly sandboxed and has a pretty good permissions system. The only malicious things it can really do are 1) based on cookies or 2) crypto mining.

Personally I think it's unreasonable to expect today's sites to work without JavaScript completely. The real benefits of using it sparingly are:

- Pages load faster

- Pages are more responsive

- Applications are less stateful and call out to systems that have a larger number of eyes on them, making them less fragile and lowering maintenance complexity

Minimalism is a virtue in any programming context

> The only malicious things

And a crappy end user experience. Why do I need to execute code just to read a static, read-only text article?

3) Fingerprinting and tracking in general are heavily javascript-focused. Less common in practice (I assume), but still possible, are 4) Rowhammer or Spectre/Meltdown style attacks that break out of the permission system. Finally, there's general trickery, manipulation, and malware, like trying to embed a frame from Facebook and steal user credentials or so on (I'm fuzzy on these sorts of attacks, not an expert).

3) Right - and I guess "fingerprinting" goes slightly beyond cookies - but when people say "execute arbitrary code" they typically imply something has free-reign, which JavaScript generally doesn't.

4) True, although it's my understanding that the exploits are hard to implement, doubly-so from an abstracted layer like JavaScript.

> trickery, manipulation...like trying to embed a frame from Facebook and steal user credentials or so on

This falls under "cookies-based", and I'm pretty sure no JavaScript is necessary for these kinds of attacks.

Good point on 3. I guess the main point is browsers at least disallow reading and writing arbitrary files directly.

Before javascript took over tracking the 1x1 white pixel ruled the land. No javascript needed there.

The microarchitectural side-channel attacks that have received a lot of attention lately really challenge the idea of a "sandbox".

Also the poster said that webpages shouldn't be blank without having, not that they should be fully functional. I think it's reasonable to expect some function without javascript.

> JavaScript is strongly sandboxed and has a pretty good permissions system

We now live in a post-Spectre world. I don't think a sandbox means all it meant in 2017.

Can you point to a single real-world example of Spectre being used in a browser attack?

I am split: web pages can be enhanced with JS, but webpage mostly shouldn't need them (exception: some data visualization does benefit from being able to dynamically change values).

Web apps on the other hand, probably do need them. I use newsblur and definitely enjoy the shortcuts.

About the only time JavaScript is useful is something like google docs. The rest is just fluff and there’s no reason a webpage should require it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact