@LorenzoAncora @tennoseremel @lxo Please put down the proprietary flavor aid.

>images, CSS, documents, most web resources have processing flaws which allow for unsandboxed code execution.
Yes, in certain cases such parsing libraries can have vulnerabilities, but those vulnerabilities are soon fixed and most exploits usually require JavaScript to successfully pull off, as a sequence of operations a user won't follow are required (while if you have arbitrary remote JavaScript execution, you can easily trigger such steps unnoticed).

I believe such librarians are now sandboxed and you can sandbox such libraries much better than you can sandbox a JavaScript JIT (which requires allowing for runtime machine code generation and then executing that machine code (write & execute), unlike a image processing library that can be fully execute-only).

>iFrame policies can often be bypassed using srcdoc, postMessage and clickjacking exploits.
srcdoc is not an exploit - it's a way to choose what page is displayed in the iframe.

Without the vulnerability of JavaScript, everything you do in an iframe only goes to the sourced webpage.

postMessage and clickjacking exploits have a hard requirement on JavaScript, as postMessage is a JavaScript function and any HTML link shown is the one you're going to visit.

>With AI, JavaScript will be indispensable to discern humans
Artificial Stupidity software is now far better at solving captchas and thoughtlessly executing JavaScript, thus I don't see how people can be reliably distinguished with JS.

>respect GDPR & NATO policies on privacy and ecology
If you don't spy on the user and don't burn copious amounts of electricity, you won't need to worry about your compliance with polices.

You can easily achieve both by not using JavaScript.


HTML webpages are fit for all things a webpage is fit for.