freepo.st

A language is Turing complete if it can be used to solve any computational problem. We often refer to any such language as a ‘programming’ language as they can be used to program any and all aspects of a computer.

HTML and CSS are not programming languages (turing-complete) because they cannot be used to solve a computational problem. For example, you cannot calculate 1+1 in HTML or CSS. This is why HTML and CSS are so safe for web-browsing, because they cannot ‘do’ anything other than convey data/information to you.

Javascript, on the other hand, is turing-complete. Javascript can be used to make any program you want, an operating system, a word processor, or a piece of malware.

It is absurd that anyone would accept and run a turing-complete language (such as Javascript) by default and without first reading or performing an audit of the code. It is the equivilent of using the default operating system that comes on a new laptop without first reading a security audit, sure it may be ‘convenient’ but it is not secure.

This is why I have permanently disabled Javascript. Sure, when the Javascript is FOSS I consider allowing it, but you should never accept it by default.