silverwizard

One of the things that is destroying the web is WASM and JavaScript.

This isn't really even a joke - it's literal.

By having all these tools to make a web browser have unfettered access to the system, it becomes unsafe to allow users to generate arbitrary code. We can't have another MySpace or NeoPets User Lookup because we can't allow users to write their own HTML, because that's *dangerous*.

Oct 21, 2024 at 6:33pmWeb
Show threadsilverwizardOct 21, 2024
The problem is literally that the Web Browser no longer is a web platform. It's a code interpreter. The limits of the web lead to safety. XSS is a consequence of a failure.
Show threadsilverwizardOct 21, 2024
I don't know what Roblox is doing - but I think Roblox is maybe the birthplace of hackers?
Show threadAndrew (Television Executive)Oct 21, 2024
@silverwizard I do know, or knew at least, and it absolutely is a little hacker incubator and also a massive threat vector.
Show threadsilverwizardOct 21, 2024
@ajroach42 I feel like all of the good hacker incubators are massive threat vectors. But the People Make Games video made it seem suspicious as hell.
Show threadAndrew (Television Executive)Oct 21, 2024

@silverwizard I haven't seen the video, but I worked in reliability there for half a decade.

Reliability and security on that platform (not to mention safety) are huge unsolved problems.

Show threadsilverwizardOct 21, 2024
@ajroach42 I hope they learn to take that seriously. But I bet neopets was just as good at those things >.<
Show threadCyOct 21, 2024
One can only hope!
Show threadj_anglissOct 21, 2024
@silverwizard BBS > Neopets > roblox. The hacker incubation evolution.
Show threadsilverwizardOct 21, 2024
@j_angliss Ya ain't wrong
Show threadFrost, wolf of winter πŸΊπŸŽ„Oct 21, 2024
@silverwizard I wonder if there's a way to say "do not run scripts in this frame, no matter how they come to be there". And then strip out script tags and things, of course, but also then if they find a way to embed a script that you didn't think of, it wouldn't get run.
Show threadsilverwizardOct 21, 2024
@IceWolf I mean - I'd love to make tools to allow noscript sites. Sites that say "run not JS from me". It'd be so good as a header!
Show threadFrost, wolf of winter πŸΊπŸŽ„Oct 21, 2024
@silverwizard And there's evidently ways to do it safely, because JSFiddle and the like exists, but it apparently requires a whole separate domain like "githubusercontent.com" and that's probably too much complexity for, say, a forum/social media site where every post gets full HTML or whatever.
Show threadsilverwizardOct 21, 2024
@IceWolf I don't know what JSFiddle is doing - but I assume it's some sort of minimal level libraries and APIs? I dunno
Show threadMontyOnTheRunOct 21, 2024

@silverwizard I would also argue that it enables the big corps to limit our freedoms with the computers we bought, by locking us to "the web".

Bare metal is freedom!
Even if people don't like C/C++/Rust/Go/Pascal, it is important that they exist, so others can have their native Python and Node.

I must admit that I do enjoy messing around with WASM, but now that I think of it, it's sort of me enjoying my own leach.

Show threadsilverwizardOct 22, 2024

@montyontherun yeah! We can build these things! Build a limited web and unlimited world!

Remember never download a . exe from the web, but your safe otherwise!

Show threadvalkyrie_pilotOct 21, 2024
@silverwizard is it safe to let users generate even arbitrary HTML? Was it ever safe to do so? Or did these sites just not care?
Show threadsilverwizardOct 22, 2024
@valk why would styling be unsafe?
Show threadliftsOct 22, 2024
@silverwizard @valk It’s rare, but keyloggers and other funny things have happened. (https://css-tricks.com/css-security-vulnerabilities/)
CSS Security Vulnerabilities | CSS-Tricks

Don't read that headline and get worried. I don't think CSS is a particularly dangerous security concern and, for the most part, I don't think you need to

CSS-Tricks
Show threadsilverwizardOct 22, 2024
@lifts @valk right, CSS has grown to madness
Show threadvalkyrie_pilotOct 22, 2024
@silverwizard one could always hide a malicious / phishing link with an A tag. Or abuse image loading to track people (mitigatable now, but not back then.)
Show threadsilverwizardOct 22, 2024
@valk I mean, they could definitely add tracking, definitely. And as long as you wrap the page, phishing is harder. And phishing is so easy these days with hubspot wrapping all email links, and no one properly using URLs. I dunno. I hear the concern, and I get it, but it just feels unconvincing to me. I feel like it's an arguement that only applies to more sophisticated users.
Show threadvalkyrie_pilotOct 22, 2024
@silverwizard i think the point i was trying to make is that you don't need scripts to do bad things. it's really hard to provide the flexibility you want to when allowing custom code without being unreasonably limiting. I don't think this is a fault of javascript, personally.
That said, I've gone on record saying javascript is overhated, so. Make of that what you will.
Show threadsilverwizardOct 22, 2024
@valk I personally think JavaScript is underhated. I think people don't think enough about the ways the Browser is now a platform. People feel safe with browsers, and that's not a good idea imo.
Show threadCyOct 22, 2024
underhated
I am so using that
Show threadSconientOct 22, 2024
@silverwizard it was already dangerous in the MySpace days. https://samy.pl/myspace/
Samy Kamkar - The MySpace Worm

Show threadsilverwizardOct 22, 2024
@Sconient Oh yeah - JS existed ;)