Given what we've been seeing with attack sites, whether shock sites trying to just DoS the browser or silly tricks like making the browser POST to an irc server's irc port to spread the malicious URL, or just terrible ads and tracking that actively slow down the browser and ruin the surfing experience, I'm amazed that not more people see javascript as a built-in remote code execution vulnerability that only gains more and more features over time, sandbox or not. :)
Javascript makes a lot of cool stuff possible, but outside of some heavy-weight web applications that I have to trust anyway like my webmail interface or online storage manager, or games where the interactive components are the only reason why I'm visiting the site to begin with, I'm starting to wonder whether trusting the internet is not inviting more trouble than it's worth.
Maybe I'm "old-fashioned" but I'd love to go back to all the sites I visit functioning with just static web content, no clientside scripting at all, and letting me consume videos and stuff in a trusted media player plugin.
By default I have JavaScript blocked on all sites, allowing it only as needed, case by case, because JavaScript is a remote-code-execution vulnerability of modern browsers.
More and more of the applications we use and our private data live in the cloud. We now access our personal files, manage our bank and investment accounts, and make retail purchases on our web browser.
Browsing the web with JavaScript enabled by default allows code written by complete strangers to run on your browser!
This shows a general lack of knowledge about how JS and websites work. I can't just run JS on my site that will steal your bank info. Browsers have cross domain security policies to prevent this.
There have been various vulnerabilities (especially in IE) but just like any other software they get fixed.
driverdan -- by your logic, it would be OK to give perfect strangers remote-shell access to one's computer, so long as one takes all the precautions necessary to protect sensitive files and prevent them from gaining root access.
Leave aside the various vulnerabilities (including cross-site-scripting ones!) that get discovered with disturbing frequency, and please consider the subject of this thread: it's possible to make someone click a "Like" button without their realizing it! How many other similar tricks can JavaScript be used for by people with nefarious intentions?
No matter how "safe" any runtime environment is, allowing strangers to execute arbitrary code on your computer is never a great idea.
This is why I allow JavaScript code to run on my browser only when it comes from sources I trust.
"...and letting me consume videos and stuff in a trusted media player plugin."
HTML5 generally solves this with <audio> and <video>. If implemented correctly by browsers, they should not require any scripting on the site itself to work.
That said, "trusted" media player plugins (think Flash) have been the targets of many successful attacks as well.
I'm thinking a dumb unscriptable video playback frame that draws its own controls and isn't remote-controlled by javascript.
I've seen plenty of sites that see that see I don't have javascript enabled (or unblocked) and conclude that welp, that guy probably doesn't have speakers, let's display a unhelpful message instead of embedding media content.
Of course there'll still be some attack surface just like people have been managing to exploit image decoding libraries over the years, but at least it wouldn't be engineered against usability by default.
Javascript makes a lot of cool stuff possible, but outside of some heavy-weight web applications that I have to trust anyway like my webmail interface or online storage manager, or games where the interactive components are the only reason why I'm visiting the site to begin with, I'm starting to wonder whether trusting the internet is not inviting more trouble than it's worth.
Maybe I'm "old-fashioned" but I'd love to go back to all the sites I visit functioning with just static web content, no clientside scripting at all, and letting me consume videos and stuff in a trusted media player plugin.