Notices by Lorenzo Ancora :verified: (lorenzoancora@ieji.de)

@lxo modern webmasters don't "shift" the computing costs, they use client-side processing and caching to avoid transferring redundant data which the user may not really need and that would only hog the service back-end. Here, JavaScript is used to guarantee a fast and smooth service for everyone. 😉

Websites change frequently, so amateur automations can be dangerous and unreliable. If the webmaster wants to allow automation, then the website will offer public APIs.

CC: @tennoseremel @quasi

@Suiseiseki modern JS frameworks and libraries, such as React and Angular, implement various optimizations to reduce the number of requests; web sockets and pipelining then minimize the number of connections. Local processing can be also less risky.

Pure FastCGI apps will almost always waste more bandwidth, requests and computational power.

IP analysis can't detect modern scrapers and AI , so PoW is always used along with machine learning or behavioral analysis.

CC: @tennoseremel @quasi @lxo

@Suiseiseki the reason webmasters can't implement graceful degradation is that, with the rise of AI, JS will be indispensable to discern humans through proof-of-work captchas and algorithms, in order to prevent service abuse and to respect GDPR & NATO policies on privacy and ecology (less requests -> less pollution and less MitM attack occasions). Obviously, client-side JavaScript will no longer be an optional dependency. Sad but true.

𝗧𝗵𝗲 𝗯𝗮𝘁𝘁𝗹𝗲 𝗮𝗴𝗮𝗶𝗻𝘀𝘁 𝗝𝗦 𝗶𝘀 𝗽𝘆𝗿𝗿𝗵𝗶𝗰.

CC: @lxo @tennoseremel

@Suiseiseki the JS-less approach works well until the number of web requests grows. It works fine for amateur apps and small websites, but popular ones are forced to use it in order to keep the user experience smooth and keep out the bots and AI through PoW captchas.

Modern e-learning requires interactive excercises, flash cards, interrogations with supervision, cloud integration with file hosting and so on. Those things only scale well with JavaScript.

CC: @tennoseremel @quasi @lxo

@lxo web apps for real-time collaboration, social media, video conferencing, online banking, trading, e-learning, auctions, e-commerce and so on, all need client-side JavaScript. It's just a *necessity* to meet the minimum quality standards.😉

Internet offers endless variety: if you don't trust a website, the best thing you can do is not visiting it.

Alex, my social feed stays always open for you, hoping for pleasant conversations in future. Take care. 👋

CC: @quasi @Suiseiseki @tennoseremel

@Suiseiseki no, I only use open protocols and FOSS apps to access my stuff. 😉

FOSS is just a term to indicate "Free and Open Source Software", nothing more. My usage of proprietary apps is minimum, all software I use is at least open source. I don't focus on anyone's interests, I just serve higher ideals.

If your nation asks you to use a website to save the planet and reduce bureaucracy, this is a moral obligation. Here at least JavaScript saves you two car trips! 🤣

CC: @tennoseremel

@Suiseiseki images, CSS, documents, most web resources have processing flaws which allow for unsandboxed code execution.

iFrame policies can often be bypassed using srcdoc, postMessage and clickjacking exploits. They will be obsoleted (eg. by fencedframes which offer full JavaScript support).

With AI, JavaScript will be indispensable to discern humans and to respect GDPR & NATO policies on privacy and ecology. HTML-only webpages will become unfit for most purposes.

CC: @tennoseremel @lxo

@lxo unless the website is yours, you will never be in total control. The website owner will always be able to decide what each visitor sees and what each user can do on the company's domains. JavaScript is only an improvement to the user experience, its absence would make our life harder, its presence is almost always helpful has a very marginal effect on our freedom.

Tip for GNUs: focus on improving yourself rather than bashing others. Choose self-improvement over hate.

CC: @tennoseremel

@Suiseiseki iFrames are discouraged by most web dev guidelines, as they can embed malicious remote content, allowing criminals to inject malware, steal information, or conduct fraud, whereas client-side JavaScript is sandboxed within the isolated context of the webpage with same-origin policy restrictions.

Client-side processing grants improved responsiveness, better privacy and faster loadings, also reducing the carbon footprint by avoiding unnecessary web requests.

CC: @tennoseremel @lxo

@Suiseiseki I own many digital goods and ownership is generally tied to purchase.

Understand the scope of the free software movement accurately: FOSS is about the rights of software developers and users to modify and distribute desktop and mobile software.

Never conflate the concept of software freedom with website ownership. Users can choose to visit or avoid a website based on their own free will, regardless of the licensing terms of the JavaScript used on that site.

CC: @tennoseremel

@lxo no Alexander, even saints met opposition.
When you don't see much opposition, it only means nobody else thought sharing their informed opinions and discuss honestly with you was worth their time. In other words, that nobody else believed in your ability to think rationally, understand different perspectives and thus improve.

CC: @quasi @Suiseiseki @tennoseremel

@lxo many trade-offs around in IT security, which requires a layered approach, as servers and clients have much different security requisites.

JavaScript security is in constant improvement because Web 2.0 needs it, used to much easily publish interactive content, facilitating self-expression, self-hosting and collaboration.

Note: I'm ignoring your rhetoric techniques, but mind that insults and ad hominem attacks aren't ok. I'm polite, so at least treat people with respect.

CC: @tennoseremel

@Suiseiseki HTML5 alone cannot replace JavaScript because it lacks the capability to handle events, manipulate the DOM in real-time, or perform asynchronous operations, which are essential for creating dynamic, accessible and interactive pages.

FastCGI, executing server-side, is computationally more expensive because it requires multiple web requests and can be more vulnerable to remote code execution and misconfigurations than client-side JavaScript.

CC: @tennoseremel @lxo

@Suiseiseki unless the website owner publishes the JavaScript code under a FOSS license, full performance optimization is in the visitor's interest and you can't expect to find comments or readability aids.

In all cases, code quality and security are the webmaster's responsibility, not yours.

CC: @tennoseremel

@lxo Alexandre, I will be the one biting faces if you start a religion/politics thread here! 🐺

Take all security reports seriously but try not to be obsessed about it, you'll just end up reaching uninformed conclusions. Trust the pros, take the mitigation steps and be productive.

Trust is always optional. But if you're feeling threatened by 98% of websites, its time to reassess your habits: better friends, less work, healthier food, touching grass more often, all helps.

CC: @tennoseremel

@lxo I understand your concerns, but MITRE and CISA's oversight ensures CVE.org's security and integrity. Regular audits, bug reporting programs and frequent updates help mitigate future risks.

Alexandre, living in irrational fear of interactive webpages isn't healthy. We live only once, mate! 🙂

I'm currently satisfied and use their services with gratitude. If I had anything to say about their ethics, I would tell them personally.
I advise you do the same.

CC: @Suiseiseki @tennoseremel

@tennoseremel hi, minification and compression are distinct processes.

Minification removes unnecessary white space while compression reduces file size. They work together in HTTP to improve page load times. Minification helps reduce the file size, making it more efficient for compression to take effect, and ultimately, for the browser to download and render the page. They only improve performance and reduce carbon footprint. Minification cannot hinder experts auditing. 😉

CC: @Suiseiseki

@lxo you're welcome. If you need the screenshot of something else just ask, I'll gladly use the latest build of Mozilla Firefox on my up-to-date Linux to take a screenshot for you.

CVE.org is supported by the Cybersecurity and Infrastructure Security Agency (CISA) and by MITRE, a 65 years old corporation specialized in national defense, financial systems and cybersecurity.
Its staff has 25 years of experience. If this website isn't safe, we're all doomed. 🙂

CC: @Suiseiseki , @tennoseremel

@Suiseiseki the scripts do not appear to contain malware:
https://www.virustotal.com/gui/url/0e7795408fa7cc6e918cbb0526bc804fece03f7b7685bebdc971670910088fea

https://www.virustotal.com/gui/url/b698d39b69b283657a4120248b211baeeb6be9b9f46a0bf873bfbcb5cbf622ac

All JavaScript files you've linked to are minified (compressed), not obfuscated. Almost all websites use compression to improve loading times. You can simply use the auto-format of your text editor to read minified scripts with minimal effort.

@lxo Hi Alexandre, nice to read you again. CVE.org is a reputable site that does not distribute malware or execute unsandboxed code. It is safe to use: https://www.ssltrust.com/ssl-tools/website-security-check?domain=www.cve.org

The website does not and cannot install anything on your computer. JavaScript is used to improve the user experience.

I apologize for linking a site you can't visit due to self-imposed ethical limitations. I've attached a full-length screenshot of the page. Let me know if I can assist you further.