freepo.st
6 votes c/freepost Posted by neal — 6 votes, 10 commentsSource

A language is Turing complete if it can be used to solve any computational problem. We often refer to any such language as a ‘programming’ language as they can be used to program any and all aspects of a computer.

HTML and CSS are not programming languages (turing-complete) because they cannot be used to solve a computational problem. For example, you cannot calculate 1+1 in HTML or CSS. This is why HTML and CSS are so safe for web-browsing, because they cannot ‘do’ anything other than convey data/information to you.

Javascript, on the other hand, is turing-complete. Javascript can be used to make any program you want, an operating system, a word processor, or a piece of malware.

It is absurd that anyone would accept and run a turing-complete language (such as Javascript) by default and without first reading or performing an audit of the code. It is the equivilent of using the default operating system that comes on a new laptop without first reading a security audit, sure it may be ‘convenient’ but it is not secure.

This is why I have permanently disabled Javascript. Sure, when the Javascript is FOSS I consider allowing it, but you should never accept it by default.

Turing-complete does not mean you can do anything you want. Turing-complete means you can compute any computable function. Lambda calculus is Turing-complete, but I cannot write a word processor in lambda calculus. Of course, I also disable Javascript for essentially the same reasons as you (though not as you stated it). However it has nothing to do with Turing-completeness. I am willing to bet that I can write a worm using a non-Turing-complete language.

  1. Javascript is a programming language, which is to say that pages that require Javascript are software.
  2. All software should be free software.
  3. Therefore, pages that require Javascript should be free software.

QED

HTML and CSS are not programming languages but document presentation languages. The distinction is between “code” and “data” rather than “Turing-complete” and “not Turing-complete”.

The term ‘Turing Complete’ is rather ambiguous. I’d argue that you could write a word processor in Lambda Calculus, however that most computers would not be able to interpret that as ‘code’ rather than ‘data’. I believe that the issue you are touching on is one of interpretation.

I know that my browser could not interpret HTML maliciously, but I do know that the JavaScript could be interpreted maliciously. This was the point I was trying to make; Javascript can perform infinite actions and thus I cannot review them all, meanwhile the actions HTML can perform are finite and thus I can review them. For me, that line when a language crosses from a finite set of possible instructions to an infinite set of possible instructions is where I pronounce that a language is Turing-complete, because I could not possibly understand all the possibilities of a Turing-complete language.

However, perhaps I have my definition wrong.

I’m very interested in this conversation and am very open to having my mind changed, if I seem stubborn in my opinion it is only because I am interested in having the best possible debate, something that can only be achieved if we both try equally hard to defend our point-of-view.

Don’t get me wrong, your concept is right, in terms of why Javascript can be malicious. I understood your point very well. It is just your use of the term “Turing Complete” I am objecting to. I am not sure how much you understand Turing completeness vs. are you just using the term casually, so I am not sure how much of this is obvious to you. And if you believe I am wrong about something please correct me:

Turing Completeness is a concept in computability theory, which deals with the concept of computable functions. These functions are mathematical functions, a mapping of one set of possible inputs to another set of possible outputs. We can encode ASCII, complex numbers, rationals, tuples, bitmap images, etc. in the natural numbers so we are really talking about a mapping of the natural numbers to the natural numbers. That detail is not very important, but is just to clarify that we are talking about honest-to-god numbers. Many functions can be computed without Turing completeness, such as exponentiation, factorial, and a few others, using finite loops. However to get all the computable functions you need to be Turing complete.

The point of all this, is that this is totally separate from I/O, networking, filesystems, etc. A programming language could be Turing-Complete without access to any of these. Any program written in such a language cannot be malicious, because there is nothing to harm. On the other hand, I could have a programming language with very simple semantics which are not Turing-complete, but is still malicious. For a contrived example, take the command-line arguments of rm:

rm -rf --no-preserve-root /

If we describe rm as a “programming language” it is clearly not Turing-complete. However this command was very destructive.

I fully agree.

Also, I think you’ll enjoy this essay: https://onpon4.github.io/other/kill-js/

That’s a good read, and relatively short also.

I feel https://notabug.org/SylvieLorxu/CSSBox may be semi-relevant to show just how much CSS can do.

Indeed, HTML5 and CSS go a long way to make a nice website without JavaScript. By the way, you should add a picture to the README :-)

Indeed you a browser extension for cases you need it.

Fuck.

Edit: Wait, you’re wrong.

There is no programmatic way to use the output of CSS as input. It can only perform one iteration before it requires human input to continue.

Source: https://stackoverflow.com/questions/2497146/is-css-turing-complete

The ‘creation’ of a turing-complete cellular automaton in CSS is equivalent to taking a picture of a computer; sure it gives an example of what it looks like, maybe even how you would go about creating one, but it doesn’t function.