This is really awesome to see. One unimportant nitpick: a lot of your recent Microsoft websites specify only the "Segoe" font, which means they render in Times for those of us on non- or old versions of Windows. Maybe load Open Sans or use a websafe sans-serif for us?
Yesterday I would have said they don't care about other platforms and compatibility issues. Today I'm not so sure. Anyway, looks like at least the GitHub has alternative font values:
Sending javascript over HTTP does technically allow for MitM attacks. Not to mention we know how great even Chrome's loudly bragged about sandbox is (it isn't is my point).
If you are loading the patch in https, all connections should be in https.
I wonder if they're gonna let their employees push atomic commits to this repository, or if it will be more like one big monolithic commit dump from time to time.
So "tile thought" is now applied to all things Microsoft? I personally prefer lists with expandable details ( an accordion menu ) Also would like to point out that the page is entirely useless without scripts enabled. I use NoScript by default and the page does not degrade smoothly at all.
Does it degrade smoothly if you disable CSS? At this point Javascript is a vital part of the web experience and it seems pointless to say that a site doesn't degrade smoothly with it disabled.
Depending on the number and variety of sites that you visit, enabling javascript universally is hazardous. You can easily observe this to be true by clicking 30-50 links randomly as fast as you can in your browser. You will find that inevitably your system will become infected with malware in the process of doing this, regardless of protection.
Generally for accessibility purposes websites should be designed so that basic text and links appear and are functional with JS disabled, and even CSS disabled. If the website is some sort of dynamic application with moving widgets than I can understand that JS might be needed, but not for a basic list of project Microsoft has put on Github.
Even if JS is used for templates, it is preferable to use semantic HTML that can be enhanced rather than using a template for the entire page and show "{tags}" all over the page when JS is disabled.
TLDR: A page with a basic list of projects shouldn't need JS. Web applications: yes, basic lists: no.
This is not a naive statement by me caused by assumptions. I actually did exactly this with a patched modern browser and good antivirus and my system became infected in the process.
Mind you I indiscriminately clicked on known "bad" advertisements in the process of doing this. Don't believe me? Try it for yourself. It is actually very easy to get malware if you click around foolishly.
Also, I have written multiple web crawlers, and have collected a large variety of JS based malware that can and does break modern browser security just in the process of fetching domain homepages. ( JS code embedded directly in index.html on domains )
If you're correct, you've uncovered some 0days in the wild. Go figure out which site, capture what happens, and turn it in to the respective browser developers for a nice bug bounty.
Or, you know, maybe they aren't wasting a 0day on "obviously bad advertisements".
