Mastodon

What Spectre and Meltdown Mean for JavaScript

Posted by Matt Birchler
— 1 min read

Will Spectre & Meltdown Break JavaScript? - Developer Drive:

Even if we did magically get perfect fixes for the Meltdown and Spectre problems, this is going to spark a larger conversation about security and JavaScript in particular. I mean, what other bits of hardware could be compromised by a simple web page? This could happen again. No, to hell with that. This will happen again.

It wouldn’t even have to be a “suspicious” page. Regular sites get hijacked or get code injected into them all the time. How are security-conscious organizations and users going to respond to this news? I suspect that we’ll see a higher rate of users who have either turned JS off, or have had it turned off for them. We may not be able to rely on it as much as we have been lately.

JavaScript is a truly essential part of the web experience in 2018. All of your favorite websites use it for something or another, and basically no web apps you love today would be possible without it. Unlike a server side language like PHP, JavaScript runs on your local computer. Usually this is fine and browser makers generally do well to block that code from accessing things it shouldn't have access to, but vulnerabilities like Spectre and Meltdown have to make us take a step back and think about websites as software, not innocent web pages (or documents) that we simply load from somewhere else.