i absolutely hate how the modern web just fails to load if one has javascript turned off. i, as a user, should be able to switch off javascript and have the site work exactly as it does with javascript turned on. it’s not a hard concept, people.
but you ask candidates to explain “graceful degradation” and they’ll sit and look at you with a blank stare.
So in this example, what’s the underling issue, shitty business requirements or JavaScript?
Yes.
You understand if most people stopped using JavaScript they would just find other ways to serve you ads, right? You can already be tracked without JavaScript.
Just because there are other ways to serve you ads does not at all mean we should not be able to not only stop at least one, but also the one which is most dangerous since it literally allows for RCE on all clients. by design.
The browser is supposed to be a sandbox environment for RCE. That’s why the sandbox part is important. Maybe instead of removing the RCE, we can lock down the sandbox better and reduce the amount of information advertisers can collect.
If you remove code execution in the browser, then many websites will need to ship desktop apps instead. So now you’ve bypassed the browser sandbox altogether and that application can do much more damage.
I’m not arguing that all websites need to execute in the browser, but without code execution in the browser, you remove a whole class of apps and the web becomes much less useful.
Edit: calling it RCE is also kinda obnoxious because at that point you might as well call everything RCE. By that definition, if I push a docker image update, do I have RCE inside any container pulling that image? If there’s a way to break out of docker or web browser sandboxing, by all means call it RCE, but this is not that.
By all means but then someone do it, because it’s 2025 and even Firefox sends all this information that is absolutely not needed to show a webpage. It’s at least 25 years late by this point.
Which in quite more than just some cases would be good, precisely because some things should be native programs instead of requiring that the web browser basically provides all the tasks of the OS.
I still think it’s silly to feel safer running the code outside of the browser sandbox, but I also understand. Ad companies have abused browser tracking and fingerprinting so much, and I hate them for it. What I’m trying to say is don’t throw the baby out with the bath water.
As a developer, it’s way easier to build a cross platform websites than maintain a native app for each platform. A lot of “native” apps are actually just web apps in a wrapper or halfway between native and web solution like React Native. Web lowers the barrier of entry to get your app out the door.