@LorenzoAncora @tennoseremel @lxo >iFrames are discouraged by most web dev guidelines, as they can embed malicious remote content,
So iframes without JavaScript is bad, but a page full of malicious proprietary JavaScript without iframes is good? Huh.

Have you considered that JavaScript is always the "malicious remote content"?

>allowing criminals to inject malware, steal information, or conduct fraud
Exploitation, information exfiltration etc require JavaScript to pull off - meanwhile you cannot do any of that with just HTML.

>whereas client-side JavaScript is sandboxed within the isolated context of the webpage
Have you considered that there's always a sandbox bypass?

>with same-origin policy restrictions.
Last time I checked those can be applied to iframes just as well.

>Client-side processing grants improved responsiveness, better privacy and faster loadings, also reducing the carbon footprint by avoiding unnecessary web requests.
In reality, I find that cgit is far more responsive and loads faster and has better privacy than JavaScript-based git hosts, which are much slower and really hit the CPU hard - increasing electrical consumption substantially.

If you want to reduce CO₂ emissions, one effective move would be to eliminate JavaScript.