This site uses client-side scripting

I have a few thoughts on client-side scripting. It was only recently that I decided to burden your browsers with up to 2.9 kilobytes of JavaScript code per page[*]. My previous zealotry of avoiding it was based on privacy and security concerns that I have with this technology, which I didn't want my few readers to deal with. So, let me explain why I decided to burden your browser with a code size of a photo taken with a Nokia 6600.

The sheer concept of running served code locally in your browser is alien to me. Sandboxed or not, escapes happen on a large scale. Just this week, the zero-day vulnerability CVE-2025-5419 was documented after having existed for almost half a year in the wild. Last year, four severe vulnerabilities in the JavaScript engine emerged that I am aware of, one of which enabled ACE with as little as 40 lines of code (including the payload!).

Running code client-side means placing a lot of trust in your source (the website) but even more in the tool (the browser). My decision to include JavaScript in the non-critical functionality of the site was made for the comfort of average surfers. To be specific, now visitors can see my mars clock update in real time. I wanted to demonstrate the difference between a Mars second and an Earth second in the simplest possible example.

The core functionality is, and always will be, executed server-side. All scripting is purely cosmetic and in no way interferes with your experience on my domain.

But don't take my word for it. I encourage every visitor to read my source code. Up-to-date "backups" are stored on my Git server and linked in every footer. Compare them with the dev console and call me out if you find any discrepancies. If you don't feel comfortable diving into the code, fire up JShelter to protect yourself. Even better, I encourage you to disable all JavaScript and fetch only my RSS feed.

Remember, a web publication should be obtained from the server in its complete and unaltered form. If someone hides information behind potential security risks, it might not be worth your time.