JavaScript applications presented as remote Web pages are convenient, sure. But their convenience is also their greatest danger. You know how Windows users can get infected with unauthorized malware just by visiting the wrong Web pages? That's JavaScript; on a sane computing system, you can choose explicitly what programs to install and run, but in the Web browser, everything is installed and ran automatically, and that tends to include programs that are malicious.

Then there's the problem of updates to the application being automatic: you may have reviewed the source code of on version 5 minutes ago, but that doesn't mean that's what you're getting now. On a sane computing system, you keep the program as long as you consistently use it, and you can control how often it is updated. In a Web browser, it's impossible to even tell if a script is changed, so updates are not only automatic, but silent. If someone wanted to attack you, it would be trivially easy for the Web server (or a middle-man if it's over HTTP) to send you a malicious version of the program (say, a version that contains spyware) for a brief period of time, then revert to the non-malicious version a few minutes later.

And the real kicker is, you can't edit JavaScript programs distributed as a part of a remote Web page. You can edit the program, sure, but you can't actually use your modified version in place of whatever version the Web page distributes/requests.

I've written about the problem of JavaScript embedded into Web pages in the past:

https://onpon4.github.io/other/kill-js/

In short, executing JavaScript, at least the way all Web browsers do it today, distributed with remote Web pages should never be done. It is incompatible both with true liberty and with even modest security. The only way it can be acceptable is if a Web browser is designed to give the user full control over what scripts are executed, what those scripts do, and when they are updated.

Of course, this all applies only to remote Web pages. If you have a local Web page (stored entirely on your computer), then any JavaScript program on it is perfectly fine. But that kind of defeats the whole purpose of basing a program on manipulation of a Web page.

Reply via email to