Everyone talks about how evil browser fingerprinting is, and it is, but I don't get why people are only blaming the companies doing it and not putting equal blame on browsers for letting it happen.
Go to Am I Unique and look at the kind of data browsers let JavaScript access unconditionally with no user prompting. Here's a selection of ridiculous ones that pretty much no website needs:
- Your operating system (Isn't the whole damn point of the internet that it's platform independent?)
- Your CPU architecture (JS runs on the most virtual of virtual environments why the hell does it need to know what processor you have?)
- Your JS interpreter's version and build ID
- List of plugins you have installed
- List of extensions you have installed
- Your accelerometer and gyroscope (so any website can figure out what you're doing by analyzing how you move your phone, i.e. running vs walking vs driving vs standing still)
- Your magnetic field sensor AKA the phone's compass (so websites can figure out which direction you're facing)
- Your proximity sensor
- Your keyboard layout
- How your mouse moves every moment it's in the webpage window, including how far you scroll, what bit of text you hovered on or selected, both left and right clicks, etc.
- Everything you type on your keyboard when the window is active. You don't need to be typing into a text box or anything, you can set a general event listener for keystrokes like you can for the mouse.
If you're wondering how sensors are used to fingerprint you, I think it has to do with manufacturing imperfections that skew their readings in unique ways for each device, but websites could just as easily straight up record those sensors without you knowing. It's not a lot of data all things considered so you likely wouldn't notice.
Also, canvas and webGL rendering differences are each more than enough to 100% identify your browser instance. Not a bit of effort put into making their results more consistent I guess.
All of these are accessible to any website by default. Actually, there's not even a way to turn most of these off. WHY?! All of these are niche features that only a tiny fraction of websites need. Browser companies know that fingerprinting is a problem and have done nothing about it. Not even Firefox.
Why is the web, where you're by far the most likely to execute malicious code, not built on zero trust policies? Let me allow the functionality I need on a per site basis.
Fuck everything about modern websites.
I agree with you about dropdown menus being something that could/should be natively available to HTML, but I'm less convinced about form submission. Sure, if we assume everything is happy path it's a great idea, but a system needs to be robust enough to handle a variety of cases. Maybe you want to redirect a user to a log-on page if they get back a 401, or present an explanation if they get a 403. A 5XX should usually display some sort of error message to the user. A 201 probably needs to add an element into the page, while a 200 might do nothing, or might alter something on the page.
With the huge range of possible paths and desired effects, it pretty quickly becomes apparent that designing an HTML & CSS–only spec that can meet the needs is infeasible. There's definitely a case to be made that JavaScript has become too powerful and can do too many potentially dangerous or privacy-invading things. And maybe a new range of permissions could be considered to limit a lot of that at a more fundamental level. But what we're talking about here with the form submission stuff is the real bare-bones basic stuff JavaScript was designed to make easier—alter the contents of web pages on the fly in response to user actions. And it's really, really good at that.