I have encountered several issues (they are closed, I was asked to close them and discuss here first), severely crippling usability of Forgejo when JavaScript is disabled:
I was advised to create a general discussion on whether usability without JavaScript is a decent goal to achieve.
My arguments are:
- Running any Turing-complete code on client is a security and privacy threat.
- It is impossible to prove that a certain Turing-complete program was not designed to do harm even if there is a perfect formal model what "harm" is.
- Browser engines tend to expose JavaScript API that can be used to violate users' privacy and security. Even the basic unprivileged APIs like
getBoundingClientRect or even math functions pose a threat, so are measureText and other canvas API, any APIs allowing to measure time (or that can be repurposed to measure time using ability to execute advanced algorythms on client), any API allowing low-level access like WebGL, WebGPU 1 2 and WASM
- Monopolist browser vendors tend to design, implement and promote APIs that are designed harmful (
negative used to be explicitly called harmful in the past) while benefiting their business interests in tracking users, and other browser vendors can have no other options but to implement those APIs too if too much websites start to depend on them.
- Even if there is no harmful APIs in a browser
- the mere access to memory by predictable alignment + precise enough timer are enough to do attacks on hardware like RowHammer or Spectre
- it allows to do sophisticated algorythms to bypass mitigation techniques like DEP + ASLR when exploiting exploits not in JS code
- While some of the attack surface is available via CSS, disabling JS still protects from the most of attacks. This creates strong incentives to disable JavaScript.
- JS implementations of algorithms can work less efficiently than CSS ones.
- the model provided by frameworks doesn't interplay well with what browsers provide, which results in a significant overhead, though since Houdini (set of API allowing to plug own code into certain points in browser rendering pipeline) things should have become better. Though I feel like Houdini can open possibilities of fingerprinting.
- JS is a developing language and using the most shiny new features breaks the browsers not having them.
- as discussed within the issues linked, implementing the needed functionality without JS shouldn't be costly or take a lot of work. I feel like the same applies to all the essential functionality of a source code hosting.
- I suspect that the rationale mentioned above is obvious and that's why usability without JS is a requirement for
A — Excellent score in GNU ethical repository criteria, though IMHO it doesn't make sense to divide features into tiers and also IMHO technical criteria are much more important than promotion of GNU/approved licenses, so IMHO no-JS is one of the most basic features.
So my proposal is to adopt a policy that
- it is a goal worth pursuing to have Forgejo usable without any client-side JavaScript working
- that if a functionality can be done in HTML and CSS (in this order, CSS can also be missing!), then it should be done that way
- if implementing functionality in HTML requires server-side support, then it should be implemented.
- that progressive enhancement approach should be used, so relying on new shiny features of browsers only if they are available and if it makes enough sense to use them
- that source code hosting is a serious business and that providing a shiny beautiful visual effect is not a rationale to introduce a dependency on a dangerous or too new API; that working, reliable, rock-solid, simple and clean is preferrable to new, shiny, posh and visually bloated. Animations and effects have the least priority possible and should be done without JS and the website should be usable and working and convenient even if the effects code is completely broken.
- that VanillaJS should be used instead of frameworks.
- JQuery should also not be allowed. We have the needed functionality within browsers for a very long time.
I have encountered several issues (they are closed, I was asked to close them and discuss here first), severely crippling usability of Forgejo when JavaScript is disabled:
* [ ] https://codeberg.org/forgejo/forgejo/issues/1631
* [ ] https://codeberg.org/forgejo/forgejo/issues/1632
* [ ] https://codeberg.org/forgejo/forgejo/issues/1633
* [ ] https://codeberg.org/forgejo/forgejo/issues/1634
* [ ] https://codeberg.org/forgejo/forgejo/issues/1635
I [was advised](/forgejo/forgejo/issues/1634#issuecomment-1283633) to create a general discussion on whether usability without JavaScript is a decent goal to achieve.
My arguments are:
* Running any Turing-complete code on client is a security and privacy threat.
* It is [impossible to prove](https://en.wikipedia.org/wiki/Halting_problem) that a certain Turing-complete program was not designed to do harm even if there is a perfect formal model what "harm" is.
* Browser engines tend to expose JavaScript API that can be used to violate users' privacy and security. Even the basic unprivileged APIs like `getBoundingClientRect` or [even math functions](https://privacycheck.sec.lrz.de/active/fp_mr/fp_math_routines.html) pose a threat, so are [`measureText`](https://codeberg.org/KOLANICH-research/Article-2015-Dull-captaincy-or-the-way-Tor-Project-fights-brows) and other canvas API, any APIs allowing to measure time (or that [can be repurposed to measure time using ability to execute advanced algorythms on client](https://gruss.cc/files/fantastictimers.pdf)), any API allowing low-level access like WebGL, WebGPU [1](https://arxiv.org/pdf/2201.09956) [2](https://www.vusec.net/wp-content/uploads/2018/05/glitch.pdf) and WASM
* Monopolist browser vendors tend to design, implement and promote APIs that [are designed harmful](https://github.com/mozilla/standards-positions) (`negative` [used to be explicitly called `harmful`](https://github.com/mozilla/standards-positions/pull/680) in the past) while benefiting their business interests in tracking users, and other browser vendors can have no other options but to implement those APIs too if too much websites start to depend on them.
* Even if there is no harmful APIs in a browser
* the mere access to memory by predictable alignment + precise enough timer are enough to do attacks on hardware like [RowHammer](https://github.com/IAIK/rowhammerjs) or [Spectre](https://github.com/alephsecurity/spectreBrowserResearch)
* it allows to do sophisticated algorythms to bypass mitigation techniques like DEP + ASLR when exploiting exploits not in JS code
* While some of the attack surface is available via CSS, disabling JS still protects from the most of attacks. This creates strong incentives to disable JavaScript.
* JS implementations of algorithms can work less efficiently than CSS ones.
* the model provided by frameworks doesn't interplay well with what browsers provide, which results in a significant overhead, though since Houdini (set of API allowing to plug own code into certain points in browser rendering pipeline) things should have become better. Though I feel like Houdini can open possibilities of fingerprinting.
* JS is a developing language and using the most shiny new features breaks the browsers not having them.
* as discussed within the issues linked, implementing the needed functionality without JS shouldn't be costly or take a lot of work. I feel like the same applies to all the essential functionality of a source code hosting.
* I **suspect** that the rationale mentioned above is obvious and that's why usability without JS [is a requirement for `A — Excellent` score in `GNU ethical repository criteria`](https://www.gnu.org/software/repo-criteria.html#A), though IMHO it doesn't make sense to divide features into tiers and also IMHO technical criteria are much more important than promotion of GNU/approved licenses, so IMHO no-JS is one of the most basic features.
So my proposal is to adopt a policy that
* it is a goal worth pursuing to have Forgejo usable without any client-side JavaScript working
* that if a functionality can be done in HTML and CSS (in this order, CSS can also be missing!), then it should be done that way
* if implementing functionality in HTML requires server-side support, then it should be implemented.
* that [progressive enhancement](https://en.wikipedia.org/wiki/Progressive_enhancement) approach should be used, so relying on new shiny features of browsers only if they are available and if it makes enough sense to use them
* that source code hosting is a serious business and that providing a shiny beautiful visual effect is not a rationale to introduce a dependency on a dangerous or too new API; that working, reliable, rock-solid, simple and clean is preferrable to new, shiny, posh and visually bloated. Animations and effects have the least priority possible and should be done without JS and the website should be usable and working and convenient even if the effects code is completely broken.
* that VanillaJS should be used instead of frameworks.
* JQuery should also not be allowed. We have the needed functionality within browsers for a very long time.