Web 2.0, Meet JavaScript 2.0

Jeremy Martin writes "Well I suppose it's an undeniable fact about us programmer-types — every now and then we just can't help but get excited about something really nerdy. For me right now, that is definitely JavaScript 2.0. I was just taking a look at the proposed specifications and I am really, truly excited about what we have coming."

Re:Meh.

[Timothy Brownawell]

The main problem is that given MicroSoft's history, I'm not sure I trust it. Who's to say they won't try to use it to somehow force people to their proprietary stuff?

"Program Units" - potential for misuse

[willy_me]

Reading the article I found "Program Units" to be interesting. Most importantly, how does the running program know that the downloaded script is safe? At first glance it appears that one could easily inject malicious script via a man in the middle attack. Now I'm sure that the designers have thought about this so my question is, how does JavaScript 2.0 protect against this?

William

Re:Meh.

[Embedded2004]

Heh. Silverlight is proprietary in it's entirety is it not? Microsoft hasn't released any patents they hold on .net/C# have they?

Re:As long as I got my Framework

[SeanTobin]

FYI, I've done ajax file uploads using jQuery. Works in IE6/7 and FF2/3. See jQuery [jquery.com] and the jQuery form plugin [malsup.com].

Re:Javascript 2.0, usable by 2015...

[maxume]

Mozilla has a project underway to make a plug-in run javascript 2.0 inside of IE:

http://wiki.mozilla.org/Tamarin:ScreamingMonkey [mozilla.org]

Re:Ugh

[Paradise Pete]

What a load of utter bollocks! Show me a feature that cannot be misused, and I'll show you a feature that isn't terribly useful.

He said guaranteed, not could, which carries quite a different meaning. But go ahead and post your thoughts there. Perhaps he might expand on it.

JavaScript changing into Python

[xant]

Actually, if you consider Python to be the opposite of Java (and I very nearly do), just the opposite is happening. Because Javascript is changing into Python, and this makes me happy.

There are indeed many Java-y features being added, such as "use unit" and classes, but these are also Python features. The one feature I saw from the article that looked distinctly Java-ish was static type checking at compile time, and Python will have something similar by the time JS 2.0 is generally usable (i.e. both are optional).

Features in nearer-term versions of JS are even more obviously Pythonic, though. Generators and tuple unpacking, for example.

I'll lay my cards on the table and say that I think Java makes programming laborious and unpleasant, and Python does just the opposite. These features don't seem to make JS any more programmer-unfriendly, and they add a lot, so I'm looking forward to Pythonic JS 2.0.

Standards rule

[heroine]

Instead of writing specs in essay form & expecting someone else to translate them into software, why can't these guys just write the spec in the form of the software to actually implement it and then rely on someone else to optimize it?

Re:Cross-Browser

[Curien]

Because by default, Windows 2K/XP comes with three scripting languages: cmd.exe (useful, but not COM-enabled), VBScript, and Javascript (well, technically it's "JScript", which is Microsoft's embraced and extended version of Javascript). I'd sooner scratch out my eyes than use VBScript for anything longer than five lines, so Javascript it is.

For example, some corporate environments think that disabling all the programs in system32 to be a "security feature"... which means you can't do things like fix corrupt registry entries in your own HKCU hive! So I wrote a command-line registry editor (similar to reg.exe) in Javascript+WSH+WMI. I also used it to write a little utility that basically replicated the remote installation feature of SMS. Except mine doesn't break all the fucking time on networks that aren't always up (SMS server was separated from all the clients by a TACLANE that's only brought up as-needed).

Oh, and I wrote a DB app in Javascript that just happened to use a browser for a GUI (but there was no webserver middle-ware). Again, mostly because I loathe anything VB-related (such as VBA usually used to script Access). See http://www.kuro5hin.org/story/2005/7/14/13942/7643 [kuro5hin.org].

Re:Ugh

[mfnickster]

print("astring" + "anotherstring" + "thirdstring");

be better than

cout << "astring" << "anotherstring" << "thirdstring";

Well, for one thing, 'print' is a verb instead of a noun. Also '+' is often used as shorthand for 'and' in English, so it's probably semantically clearer and more intuitive.

Now, if anyone can tell me why C's indirection operator is the same as 'multiply', and its address operator is the same as bitwise AND?

I always thought it would make more sense to use '$' = 'value of' and '@' = 'address of' for these.

Re:"Program Units" - potential for misuse

[Maxmin]

At first glance it appears that one could easily inject malicious script via a man in the middle attack. Now I'm sure that the designers have thought about this so my question is, how does JavaScript 2.0 protect against this?

You're talking about signed scripts, something not very commonly used. Something about being endlessly prompted to approve your browser's verification of the script's authenticity, or some crazy shit like that.

Point is, however, you're talking about a vulnerability that's in the network. Any protocol or script or program sent over the 'net is vulnerable, unless signed, and even that can be faked. A hacked DNS server at your ISP could redirect you to a phishing site when you visit your bank's website. Or, Verizon could redirect your negatory DNS lookups to one of their spam servers.

... one could easily inject malicious X ... how does language/protocol/client Y protect against this?

See? So, the question you have to ask is, how common are MITM attacks? I don't know the answer, but it seems more likely that your bank or ISP or online retailer is going to "lose" a few million financial identities to hackers, than you'd fall victim to a silently-inserted malicious script.

But who knows? Web browser security is notoriously tissue-thin, so we all have risk profiles with non-zero p, and the MITM attack could come along any vector- flash, HTML, HTTP, DNS, SMTP, etc.

Look at all the malware out there, a far more tangible problem; downloaded by unwitting noobs, busily building networks of zombie spam bots or whatever. MITM seems a more risky technology investment for the digital conman, with the penalties of being traced and caught. Kind of amazing that malware authors aren't chased down the same way hackers are. Maybe I don't watch enought television - missed when Prezzie Bush signed the anti-malware bill into law.

Re:Ugh

[OoSync]

Introducing classes for all of the Java programmers who can't understand a Self-like language...introducing classes into a prototype-based language just doesn't make sense.

Wrong!

The justification for classes in a prototype-based language is to use type safety properties in library and infrastructure code. Read enough from Brandon Eich and Douglas Crockford and you realize there are strict limitations on what safety properties can be guaranteed by current JS. At least, providing such properties is convoluted and error prone. Classes help provide needed structure for places that JS cannot hope to provide solutions today.

For example, I have a suspicion that Brandon is really attempting to replace the the Mozilla DOM code (C++) with JS2 code. This would simplify the interaction of the garbage collectors (some of those "memory leaks" everyone fusses about, ESPECIALLY in IE) and other infrastructure code.

Classes in JS2 are NOT about needed to emulate Java, so much as it is about providing tools to write robust libraries. Want more proof: MS Silverlight and Adobe Air are both based around JS2-like enhanced scripting languages. Those products make extensive use of the type safety properties brought by classes. This is also Brandon's main complaint against MS ATM. MS is promoting proprietary products with a JS2-like language, but stonewalling support for an open standard (with a robust reference implementation). Think about that for a minute: JS2-like languages are shipping today. Why can't we have a public standard for everyone else to use? Prototypes stay useful, though. MS incorporated extention methods in .NET 3.5, which have much the flavor of prototypes (when combined with generics) in a class-based language. Classes also bring some performance improvements, but that seems to be a secondary concern.

So, we have classes to build robust libraries and prototypes to glue them together with random code. Best of both worlds.

Finally, JS2 is 95% backwards compatible with JS1. The missing 5% is due to clarification of murky parts of JS1 and fixing a few issues everyone complains about. This also obliterates the need for multiple implementations of JS1 and JS2. The JS2 engine can take care of code, old and new. Even with class-based programming and you can "route around" classes using prototypes to extend functionality if you don't need the safety properties (most web code, but not libraries).

Re:Ugh

[Peaker]

Now, if anyone can tell me why C's indirection operator is the same as 'multiply', and its address operator is the same as bitwise AND?

I always thought it would make more sense to use '$' = 'value of' and '@' = 'address of' for these.

To be fair, "$" and "@" meant currency and apple pie back in that day :-)

I think that by far C's main syntatic problem is using a prefix operator for pointer types and pointer dereferences, when the other type operators (arrays and functions) are postfixes. Because of this mistake, virtually all C programmers to this day, do not fully understand C's declaration syntax.

For example, to declare a function that takes a pointer to a void function(int) as an argument, and returns a pointer to a function(void) that returns a pointer to an array[SIZE] of chars, you would have to write:

char (*(*func(void (*func)(int)))(void))[SIZE];

It also means we have to write:

m->x

because:
(*m).x is required with a prefix operator, and is hard to type.

There are few C programmers who can read that first example. Now lets try a Pointer-as-postfix syntax for the same thing. We shall not use * as a postfix operator, because it would make the expression: "a * - b" ambiguous ("a*(-b)" or "(a*)-b"?). Instead, let us use your suggestion, and make "$" the postfix type operator, and dereference operator, and see the consequences. Lets also put the base-type after the expression instead of before it, and see what happens to the above declaration:

func(function$(int) void)$(void)$[SIZE] char

Note that this simply reads left-to-right now (because we removed the mishmash of prefix/postfix operators), and there is no need for parenthesis to denote precedence, just functions.

The "->" syntax is no longer needed, as like in Pascal, we can have:

m$.x

which clearly means: dereference m and then get the x member.

Re:v2.0

[somethinghollow]

I suggest watching Douglas Crockford's JS trilogy on YUI Theater.