"JavaScript has become the interface to the web..."
And incidentally the primary vector for client side breaches (regardless of the 'sophisticated' details of what happens after the initial compromise via JavaScript).
It's fundamentally contrary to basic security principles (and common sense) to download masses of untrustable and unverifiable code onto the client and execute it silently and automatically. It's even more fundamentally stupid to use this technique to accomplish things that can be perfectly well, efficiently and safely be performed using good old HTML (e.g. the increasingly common idiocy of using JavaScript instead of link anchors to enable clickable elements for navigation).
Unfortunately this fashion for making even static pages into 'web apps' is essentially born of crashing ignorance. For example, I found today an online shop which declared that in the interest of security "our shopping cart runs entirely on the client, so there's no server to hack". Where do they think the shopping cart code resides at rest? What happens if that repository is contaminated by malicious actors?
Until software development has been raised to at least the minimum standard of a professional engineering discipline we remain at the mercy of fools and ignoramuses. Dunning and Kruger rule!
Biting the hand that feeds IT
