-
This site uses client-side scripting
- 5 Jun 2025 - Spooky, scary JavaScript update. +"This web page uses limited JavaScript"
+ 5 Jun 2025 - What's this about?!@@ -44,49 +44,39 @@ I have a few thoughts on client-side scripting. It was only recently that I decided to burden your browsers with up to 2.9 kilobytes of JavaScript code per page[*]. My previous zealotry of avoiding - it was based on privacy and security concerns that I have with this + it was based on privacy and security concerns, that I have with this technology, which I didn't want my few readers to deal with. So, let me - explain why I decided to burden your browser with a code size of a photo - taken with a Nokia 6600. + explain why does this page need a code of size of a photo + taken with a Nokia 6600 running in your web browser.
-- The sheer concept of running served code locally in your browser is alien - to me. Sandboxed or not, escapes happen on a large scale. Just this week, - the zero-day vulnerability - CVE-2025-5419 - was documented after having existed for almost half a year in the wild. Last - year, four severe vulnerabilities in the JavaScript engine emerged that - I am aware of, one of which enabled ACE with as little as 40 lines of code - (including the payload!). -
Running code client-side means placing a lot of trust in your source (the - website) but even more in the tool (the browser). My decision to include + web page) but even more in the tool for running it (the browser). My decision to include JavaScript in the non-critical functionality of the site was made for the - comfort of average surfers. To be specific, now visitors can see my - mars clock - update in real time. I wanted to demonstrate the difference between a Mars - second and an Earth second in the simplest possible example. + comfort of average surfer. To be specific, now visitors can see my + Mars clock + update in real time, because I wanted to demonstrate the difference between a Martian + second and an Earths second in the most transparent way.
The core functionality is, and always will be, executed server-side. All - scripting is purely cosmetic and in no way interferes with your experience - on my domain. + scripting is purely cosmetic[**] and in no way interferes + with your experience on my domain.
- But don't take my word for it. I encourage every visitor to read my source - code. Up-to-date "backups" are stored on my Git server and linked in every - footer. Compare them with the dev console and call me out if you find any - discrepancies. If you don't feel comfortable diving into the code, fire up + I encourage every visitor to read the + source code + to see what are they executing in their browser. If you don't feel comfortable + diving into the code, fire up JShelter - to protect yourself. Even better, I encourage you to disable all JavaScript - and fetch only my - RSS feed. -
-- Remember, a web publication should be obtained from the server in its complete and - unaltered form. If someone hides information behind potential security risks, - it might not be worth your time. + to see its nature or disable the JavaScript altogether in your browser + (Chrome tutorial, + Firefox tutorial) + or only for this site with the + NoScript addon. + Finally, you can always ditch the whole Web mess and fetch only my trusty + RSS feed + which I now supply full lenght in plain text.
@@ -100,18 +90,22 @@ * If we include the license statements, which don't affect the logic of mentioned code, it adds up to 5 kilobytes per page. ++ ** Keys on the top of the page are clickable! +