Everyone talks about how evil browser fingerprinting is, and it is, but I don't get why people are only blaming the companies doing it and not putting equal blame on browsers for letting it happen.
Go to Am I Unique and look at the kind of data browsers let JavaScript access unconditionally with no user prompting. Here's a selection of ridiculous ones that pretty much no website needs:
- Your operating system (Isn't the whole damn point of the internet that it's platform independent?)
- Your CPU architecture (JS runs on the most virtual of virtual environments why the hell does it need to know what processor you have?)
- Your JS interpreter's version and build ID
- List of plugins you have installed
- List of extensions you have installed
- Your accelerometer and gyroscope (so any website can figure out what you're doing by analyzing how you move your phone, i.e. running vs walking vs driving vs standing still)
- Your magnetic field sensor AKA the phone's compass (so websites can figure out which direction you're facing)
- Your proximity sensor
- Your keyboard layout
- How your mouse moves every moment it's in the webpage window, including how far you scroll, what bit of text you hovered on or selected, both left and right clicks, etc.
- Everything you type on your keyboard when the window is active. You don't need to be typing into a text box or anything, you can set a general event listener for keystrokes like you can for the mouse.
If you're wondering how sensors are used to fingerprint you, I think it has to do with manufacturing imperfections that skew their readings in unique ways for each device, but websites could just as easily straight up record those sensors without you knowing. It's not a lot of data all things considered so you likely wouldn't notice.
Also, canvas and webGL rendering differences are each more than enough to 100% identify your browser instance. Not a bit of effort put into making their results more consistent I guess.
All of these are accessible to any website by default. Actually, there's not even a way to turn most of these off. WHY?! All of these are niche features that only a tiny fraction of websites need. Browser companies know that fingerprinting is a problem and have done nothing about it. Not even Firefox.
Why is the web, where you're by far the most likely to execute malicious code, not built on zero trust policies? Let me allow the functionality I need on a per site basis.
Fuck everything about modern websites.
Web developers are complicit in browser fingerprinting, by insisting that sites require JavaScript (or WASM).
All of us are complicit in browser fingerprinting, because we tolerate this script dependence.
IMHO, a web site being allowed to execute arbitrary code on visitors' hardware should be an anomaly. The vast majority of them could be built to deliver the same information without requiring that inherently dangerous permission.
One of the biggest reasons websites need to run JS is submitting form data to a server. Like this website.
But old forums did all this without JS by just using the HTML form's submit functionality itself. The issue is it causes the page to refresh meaning you can't keep any other unsubmitted forms, and you can get those annoying "submit form data again?" popups. So every website writes code to submit everything asynchronously.
Another major reason for using JS is dropdown menus and panels. You need to either write code to listen for the click and reveal/hide it as needed, or you have to do weird CSS tricks that are usually inferior in UX to a JavaScript implementation, or you have to bastardize the form dropdown selector into your general purpose dropdown.
These shouldn't be things you need to implement yourself using a Turing complete programming language. These should be natively implemented in the browser and accessible through HTML.
Remember when the only way to play videos on websites was with Flash or Java applets? But then video playback got natively implemented into HTML and now it's way easier and doesn't even require JS.
If browsers did the same for asynchronous form submission and dropdown menus, it would get rid of 80% of websites' need to run JS. Including this one.
But obviously they want you to run JS so they won't do that.
No. Forms function quite perfectly without JS thanks to
action=.Now whether you want to get "desktop app" fancy with forms and pretend you are a "first-class desktop citizen" that's a skill issue. But submitting form data, by itself, has not required JS since at least 1979. Maybe earlier.
Look for text "HTML's got expandable sections baked in"
I had actually given up on expandable sections for my website (because I didn't want anymore JS than the dark/light switcher I made) until I found this.
Let's be careful how we phrase things here. JavaScript form submission and navigation are choices, not needs.
Also, progressive enhancement / graceful degradation exists. When competent developers (or bosses) want script effects on our sites, we can include them and make the sites continue to function with scripts disabled. It might require more work, but it is absolutely possible.
Framing the script-based approaches to these things as if they were needs contributes to the problem, IMHO.
(I am referring to the vast majority of web sites, of course, not special-purpose web applications like games.)
Navigation is a need.
It can be done without JS
You don't even need to be competent. Being obsessed works too.
The problem is, a manager will just get an intern with 0 web experience and hand them WordPress.
I'm am ex web dev/des and still maintain some websites for non-profits. I think you underestimate the human stupidity factor. I already have to front an infuriating level of stupid questions and problems that people have caused themselves by not following the most simple of directions. Do I like JavaScript? No. Do I wish I could completely ditch it? 100%. But people are stupid. And without it's use, I would be handling even more CS than I am now. The average person expects a website to act a certain way and without that they lose their minds.
Homie the web platform I've been tasked with helping keep running/update is ASP Web forms and the lack of asynchronous updating is pretty annoying to work with in a ticketing software.
I miss websites with simple text, links and graphics. We could navigate them perfectly fine without any JS, any dropdowns or whatever. They just displayed the information you came for, nothing extra.
I agree with you about dropdown menus being something that could/should be natively available to HTML, but I'm less convinced about form submission. Sure, if we assume everything is happy path it's a great idea, but a system needs to be robust enough to handle a variety of cases. Maybe you want to redirect a user to a log-on page if they get back a 401, or present an explanation if they get a 403. A 5XX should usually display some sort of error message to the user. A 201 probably needs to add an element into the page, while a 200 might do nothing, or might alter something on the page.
With the huge range of possible paths and desired effects, it pretty quickly becomes apparent that designing an HTML & CSS–only spec that can meet the needs is infeasible. There's definitely a case to be made that JavaScript has become too powerful and can do too many potentially dangerous or privacy-invading things. And maybe a new range of permissions could be considered to limit a lot of that at a more fundamental level. But what we're talking about here with the form submission stuff is the real bare-bones basic stuff JavaScript was designed to make easier—alter the contents of web pages on the fly in response to user actions. And it's really, really good at that.
ofc it would be horrendously inefficient, but can you use multiple iframes to do asynchronous forms?
I use noscript and VERY MUCH do not allow as much stuff as possible, by default, and don't allow anything if I don't want to or feel like it. I have been doing so since forever because of literal constant bullshit.