zlacker

> Javascript is a privacy and security nightmare.

AFAIK, JavaScript the language has neither privacy nor security issues of "nightmare" level.

> It's almost equivalent to downloading and silently executing untrusted code on your machine.

No it's not. The code is run in a VM, which is run in a browser. So, the code is limited in doing things to the browser, which itself is limited in what it can do to your computer (files and whatnot). So it's not at all like running untrusted code "on your machine".

> I say "almost" because Javascript code is virtualized and sandboxed.

It's virtualized (in the browser) such that all the code will run almost the same on different browsers and chipsets. Again, the browser code is what keeps the computer safe from any code it runs, including CSS code or other VMs it may use, like Java or Flash. Also the OS keeps the computer safe from the browser (or at least it should).

So, no it's not JavaScript that is the boogeyman here.

>>kordle+(OP)
My understanding is that JavaScript is the primary mechanism used in browser fingerprinting and cross-site user tracking/"analytics". Isn't that a rather large privacy and (personal, if not specifically "cyber") security risk?

>>jachee+y
Yes.

The "security features" of popular browsers will never protect the user from the tentacles of internet advertising. Companies/organizations that author popular web browsers generally rely on the success of internet advertising in order to continue as going concerns; as such, they are obviously not focused on internet advertising, and collection of user data, as a "security threat".

>>jachee+y
Actually, the main and most used mechanism of cross-site user tracking and "fingerprinting" are cookies, which do not require any JS to work.

>>XCSme+PD1
How does cross-site user tracking do its thing?

>>jachee+hZ4
Set a cookie using HTTP headers.

Use a tracking pixel (eg. image) to make further requests and cookie will be included in the request.