Pixel Envy

Written by Nick Heer.

The Potential Advantages of a JavaScript Whitelist

Brent Simmons:

What I want is two related and similar things:

  • The ability to turn off JavaScript by default, and turn it on only for selected sites. (For me that would be sites like GitHub.)

  • The ability to turn off cookies by default, and, again, turn them on only for selected sites.

If it‘s the opposite — if I have to blacklist instead of whitelist — then I’d be constantly blacklisting. And, the first time I go to a site, it gets to run code before I decide to allow it.

A cookie whitelist would, I think, be frustrating to non-technical users, but it would be nice to have as an option. And, I imagine, it could be extended to allowing any kind of local storage.

But a JavaScript whitelist is something I could absolutely get behind. When you think about it, it’s pretty nuts that we allow the automatic execution of whatever code a web developer wrote. We don’t do that for anything else, really — certainly not to the same extent of possibly hundreds of webpages visited daily, each carrying a dozen or more scripts.

The openness of the web is unlike other platforms that have become more locked-down. There are few permission requests when visiting a webpage. That’s both beautiful and potentially damaging, particularly as new JavaScript functionality has been added and browsers have increasingly prioritized JavaScript execution time. New engines run scripts far closer to the metal — as they say — but these speed improvements have come with increased risks. Two examples:

  1. I had a webpage open not too long ago that, astonishingly enough, was mining cryptocurrency with JavaScript. This was something I had previously heard about in the context of malware, but this was a legitimate page that was attempting to make some extra money by maxing out my CPU when I left the tab open. I only noticed it when my iMac’s fans started whirring like I was rendering video or something.

  2. The speculative vulnerabilities in Intel CPUs, revealed last year, were exploitable through JavaScript.

It’s baffling to me that trackers, ad networks, cryptocurrency miners, and image lightboxes are all written for the web in the same language and that there is little granularity in how they’re treated. You can either turn all scripts off and lose key functionality on some websites, or you can turn everything on and accept the risk that your CPU will be monopolized in the background.