Comment by pabs3

Comment by pabs3 3 days ago

2 replies

View on Hacker News

I was mostly speaking to the general advantages of not enabling JS.

> static pages

As in it won't change after you load the page.

> almost no advertising, fewer working paywalls

Indeed, haven't seen these with mastodon instances, but you never know when that will start happening.

> smaller attack surface

The instance could have been hacked, or you could have angered the admin, or you could have angered some other user who knows of a vulnerability they could leverage to send you custom JS.

The JavaScript sent by Mastodon is obfuscated, so it isn't reasonable to expect to be able to audit it and mark it as safe. You could YOLO and allowlist an JS from trusted instances of course, but that opens you up to the scenarios above.

esperent 3 days ago

> Static page... As in it won't change after you load the page.

That's not what static means in the context of web development. It means that the html is delivered from the server in a static form and doesn't need to be changed in any way to be displayed.

> The JavaScript sent by Mastodon is obfuscated, so it isn't reasonable to expect to be able to audit it and mark it as safe

This is what file hashes are for. But agreed, you do need to trust the upstream file provider. I had assumed that a federated system like Mastodon had considered this already and had a way of confirming js hashes to ensure against rogue nodes. Is that not the case? If so it seems like an oversight.

But anyways, thanks for replying to me. I asked because, as a web developer, I'm always curious about why people disable JS. I have yet to be convinced of any valid reasons for most people to do it, but I can understand that some people have stronger security concerns. For those people though, it always feels like it would make more sense to spin up a VM and browse inside there with all the unsafe JS, rather than enduring a daily struggle through a litany of websites that don't work properly.

Reply View 1 reply

pabs3 a day ago

Static means something different in the context of trust on the web. An entirely static page without JS means you can reason about the page, know it will still work if saved locally etc. A static HTML that loads JS could do anything, like reporting your access to Google, or blocking your viewing if the date is April 1st or whatever, or breaking if it gets saved to archive.org.
File hashes only indicate the file and or hash weren't modified in transit, you can't know which party created the hash, and whether to trust that party, since they aren't authenticated from developer to browser, only from the server to the browser. Even if there were end-to-end authentication and there were a web of trust that could be used for authenticating developer keys, you can't trust code without auditing it, and you can't audit JS on most sites, because it is almost always minified/obfuscated or huge.
I expect it is unlikely Mastodon would care about JS hashes, because they are delivered by the instances rather than a CDN, and each instance can run a different version of the code, and each instance can modify the code as they please.
As above, many/most sites work fine, or much better without JS. The ones that don't can be dealt with using external tools like yt-dlp gallery-dl zygolophodon etc.

Reply View | 0 replies