Hacker Newsnew | comments | show | ask | jobs | submit login

Disabling Javascript for privacy reasons is like blowing off your leg to prevent tennis elbow: it's overkill, and it's rather ineffective at best.



It's ineffective in the sense that it doesn't stop all of the evil. It IS effective in the sense that running no javascript really limits the amount of information people can learn about your system. Like, why should a website be able to learn about the size of my screen, the complete enumeration of all of my plugins and fonts, etc?

As far as blowing off your leg, sometimes you just really hate tennis elbow, you know?

-----


Is that sarcasm? You should know, that doesn't really work here unless explicitly noted as such. See Poe's law.

-----


If you arrived faster at a citation of Poe's Law than actually reading and considering the things I said, you are doing Internet wrong.

-----


I did read them, and I did consider them. After thinking up a reply as why you think basic client display capability querying mechanisms are inappropriate, I decided you were most likely being sarcastic.

On (multiple) repeated readings, I'm not really sure you were intending to make a point one way or the other. If I attribute the second sentence of It IS effective in the sense that running no javascript really limits the amount of information people can learn about your system. Like, why should a website be able to learn about the size of my screen, the complete enumeration of all of my plugins and fonts, etc? to your voice, then it seems you are. If that's to be taken as the user's voice as rationale as to why JS doesn't need to be enabled, then it's fairly neutral.

At this point, with your reply taken into consideration, I'm confused. Feel free to elaborate.

> If ... you are doing Internet wrong

Well, my first sentence was actually asking you, since I wasn't sure.

-----


Correct. I'm being completely serious, with the exception of the remark about exploding limbs (obviously).

Broad enumeration capabilities of this sort don't make sense. You don't need me to tell you why, because the moment you considered these features not existing, you immediately thought up alternatives that didn't involve running javascript, some of which require changes in the way people think about building web-pages, some of which may require changes in various specifications.

JS has more features than it deserves for learning about and (critically) sharing information about the host platform. Yes, you can still learn some things as a website operator by watching what browsers load/don't load, and what they put in their requests.

That does not mean that disabling javascript doesn't have value w/r to privacy concerns. Compare panopticlick.eff.org w/, w/o javascript enabled.

Edit: I should hasten to add that there are other concerns beyond privacy, like accessibility and the fact that a web page has no bloody business deciding that I'm likely running an iPad and therefor I shouldn't have access to X or Y. This is dumb, and contrary to the idea of the open internet. It's the same thing that's wrong with this EME nonsense.

-----


Ah, I took your position as being able to determine screen size (or have it determined automatically through CSS or some other hands-off mechanism) itself was also unneeded, not just that JS should not have this capability.

I can get behind most of what you say - as long as we are talking about simple, presentation based websites.

Where I think there's a breakdown in this view is when you consider complex web applications, including games. At that point, I believe some level of inspection capabilities are required, if we desire to have complex web apps delivered through the internet. I'm by no means sold that on-demand web delivered code is necessarily a good thing though. There's far too large a surface area to adequately secure while still making it useful, IMHO.

-----




Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: