Oh gee, I completely forgot that the form tag has ceased to exist.

Attaching a form statically to every single comment would be ridiculous. Don't be stupid.

There's no reason why that would be ridiculous. It also doesnt have to be on the same page either. Forums have had submission forms on separate pages for as long as they've existed, without issue.

However with javascript, reddit makes it more convenient to make responses.

Which, according to your own logic, makes reddit an incompetently-designed website.

That is…the opposite of correct. My logic is that it is incompetently designed if it is not readable with JS turned off.

Eh, that's a different tune than what you were originally singing, but okay. I don't disagree with that as much, but I don't believe that taking advantage of a highly prominent technology and missing a noscript tag shows one's "incompetence". Yes, they should have it, but to completely question one's programming ability based solely on that is pushing it.

The visitors don't care, hence they have no problem using GSS.

Except, as I said, for the ones that don't like getting their boxes pwned.

Nobody likes getting their boxes pwned. Most people are reasonable enough to understand that they won't get pwned by javascript unless they go to the deliberately sketchiest of sketchy websites, with an outdated browser, and still have a miniscule chance. More people are going to get pwned because they're idiots and decide to download/execute random executable files, not because a drive-by script on google.com popped their browser.

That said, the very large majority of people run browsers with javascript enabled by default, and so no, the grand majority of visitors won't care.

You appear to advocate everyone having modern browsers, but completely disabling Javascript.

And then selectively enabling it for sites that really need it, using something like NoScript, yes.

That's more like it. Using NoScript is highly recommended (I use it heavily) and stops you from getting pwned by super sketchy websites, should you go to them accidentally (or intentionally even) or be linked to them by others. The GSS website arguably doesn't go under this category. You've completely changed your tune here as well, and selectively enabling JS for pretty much everything except for trackers/advertisers and... I guess hackforums-like websites? You'll be perfectly fine, short of already having malware on your machine.

You belong to a group of maybe 3 people in the world.

Pretty sure NoScript is used by a hell of a lot more than 3 people.

Again, you changed your tune from using zero Javascript to selectively using it (though still arguably too selectively). Using NoScript is much more reasonable, and puts you into a much larger group. Still not the majority, and not any size of group that devs in general will specifically cater to (and I say this being a member of that NoScript group), but still larger.

Constraint-based layouts will beat... whatever the hell CSS is any day.

What about Flexbox? It is also kinda-sorta constraint-ish.

Flexbox is nicer, and it finally has pretty good compatibility amongst the latest browsers, but it's not constraint-based and doesn't solve some of the core (and especially legacy) problems with CSS. Definitely an improvement on all of the other floaty bullcrap though.

Having Turing completeness isn't the requirement of something exploitable

No. It does, however, make it far more likely to be exploitable, especially compared to a language as high-level and strictly declarative as CSS. Good luck sneaking shellcode into a browser through a box-shadow or something.

I do agree with that, but arguably any new browser feature will add to the attack surface. It just so happens that most of the new features have been javascript APIs (though many of these APIs are fairly stupid and useless, but that's another rant for another day). Over time, they become more battle tested and secure, as is the case with any piece of software. I still don't consider that to be a reason to disregard any legitimate use of Javascript, but you seem to be pretty adamant on your blind paranoia.

Nonetheless, I do agree that Javascript does suck, and if a Turing-complete system were to exist for the web, I would much prefer it to be something like Native Client

Are you fucking kidding me? Now you want me to run arbitrary machine code for every jackass website?! Without even so much as a browser VM in the way?! Pure insanity!

Wat. Disregarding the fact that you clearly don't know what native client even does, the sandbox used for JS is shit compared to the one in NaCl, even when talking about chrome. Just because there's a javascript JIT there doesn't mean a sandbox is no longer needed to secure things. The NaCl sandbox is more broad and catches whatever you can put in arbitrary machine code, not just what you can put in arbitrary javascript code. Just because it runs on the CPU doesn't mean it has carte blanche to do whatever the hell it wants, otherwise user-mode processes wouldn't be a thing, for one.

I suggest you give NaCl a second look, instead of putting on beer goggles and going into a trance because "machine code" was mentioned in the description. It's actually pretty well designed. Or don't - up to you I guess.

which appears to be much easier to secure by effectively putting a massive sandbox around it.

Good friggin' luck sandboxing something you don't even control (the CPU's instruction set). NaCl is one of the most obscenely stupid ideas for a browser API since ActiveX.

ActiveX was a stupid idea because it had no limitations whatsoever on what you could do, and so exploits were basically in their definition due to lack of any sandbox.

The best option, however, is if web applications were like Android applications in which you would have to accept a list of permissions once, after which you can run it.

That's not going to help much. JS doesn't even have a way to request privileges, let alone gain them, and there are still plenty of exploits based on it.

No shit. Hypothetical situations are not meant to be restricted to what currently exists. That's the entire point of bringing one up.

Android, too, is rife with malware. Doesn't mean I don't like it, mind you—sure beats Apple's horrid prison of an operating system—but installing an Android app is not nearly as safe as viewing a web page with JS turned off.

Android has had malware for two big reasons: it's the dominant mobile OS, and software is rarely perfect. Neither of those are going away, and if the web adopted ideas from it then it would have the same problems (to an extent - websites and mobile apps are very different beasts), however it would arguably be a much better system than what currently exists.

And yes, obviously reducing attack surface by turning things off will make them safer, almost by definition. Reducing features to nothing will be even safer.

For now though, I'm confident in using NoScript and modifying my about:config to disable rarely used javascript APIs. Oh, and my ability to trust my own judgment on whether or not a website is sketchy. 17+ years on the net and it hasn't failed me.