> For example, webmail
Webmail isn't a concept that needs JavaScript to work. Lots of old Webmail
systems didn't require JavaScript at all. Squirrelmail is one named example,
and I think Gmail still has a fallback version of the Webmail that doesn't
require JavaScript (though I'm not entirely sure; it may have been removed
since the last time I used Gmail).
> I would argue instead that the web browser should have it off by default
and ask users if they want to run scripts temporarily, which NoScript
achieves through the whitelist or LibreJS does by checking for licenses.
To be perfectly honest, I can't think of any use-case for JavaScript use on
the Web where it is both necessary and appropriate. But if there is one, Web
browsers must handle scripts in a fundamentally different way. What you are
proposing just isn't sufficient, because it doesn't give the user any
technical ability to modify the JavaScript code. What good is being able to
see the source code if you can't make changes? I guess you could find out
that the program is malicious, but there would be nothing you would be able
to do about it. That's why I said in the essay I linked to that fixing
JavaScript must include the following:
* The browser must install JavaScript code permanently, and only when the
user explicitly authorizes it in some fashion.
* The browser must give the user the ability to install any arbitrary script,
not just the script requested by the Web page.
* The browser must not upgrade any JavaScript code automatically, unless the
user has specified that it should be, and the user must be able to choose
where such updates come from.