It's surprising to me how many users on HN can only think as far as their own browser.
Really the question here is not "what's the harm of JS across the web" but rather what is the specific privacy cost of running JS on a sign in page and what is the security benefit of the same.
The worst case cost of JS on a browser is that you get a drive by download and your endpoint is owned. This seems unlikely on a Google domain.
The other, more normal, case is that a user is concerned about ad tracking. Providing an ad tracker on a sign in page seems pretty lame, and I'd be surprised, again, if Google was doing that.
The security upsides are likely several: anti-automation, anti-phishing, and an opportunity to track state-level adversaries who target users' Google accounts.
I don't know how others weigh these factors, but to me it seems entirely obvious that this is a good idea. Could the blog post have better laid out this case? Sure.
I'm sure tracking everyone and controlling exactly what they can do will make them safer. Why don't we put surveillance cameras everywhere and make them record 24/7 too? </s>
Authoritarian ideology like this is what turned me off the whole "security industry" years ago.
Google already controls exactly what you can do... on Google.
You're arguing against ubiquitous surveillance, when the OP is arguing for company surveillance of the way in which you interact with their login screen, on their site.
Why would google not at least have an incentive they'd have to work against, to add tracking into their sign in pages? They make all of their money off of ads and they do that by tracking people to target ads.
You might as well say people shouldn't take precautions swimming around sharks, because it's rare and be surprising if they attacked
> Hacker News works perfectly fine without Javascript.
keyword being "too".
> In fact, I don't think I've ever enabled Javascript here on Hacker News.
I mean, that's super, but it's just one more point in the column of how HN's population is out of touch with any regular person. It's really annoying to wait for the page reload on even a fast network, and good luck finding your place again if a thread is even moderately busy.
Ctrl f. But yes hacker news doesn't have the greatest UI.
Back to your main point. I don't think it's out of touch. It's different information or values. Do you think it's not annoying for me to not have JavaScript and have slow or broken pages? I know and feel the same thing, and I imagine anyone using no script does as well. It's just not worth it to me to let privacy be degraded for some speed.
I think this is due more heavily to being more informed about the situation than the average person, rather than different values. When Facebook starting getting in the news about all their privacy violations, Facebook MAU went down and the number of accounts deleted went up. That indicates that once people are aware of what is going on, they make similar choices about interacting with the companies.
The difference between many people on hacker news and the average populace is that we can both install something like noscript, and have a rough idea of how to interpret the options on it.
This makes perfect sense for Google. This will objectively greatly increase the account security of their users. Remember 99% of Google users are not at all like people on HN. Google is helping the 99% at the expense of the people paranoid about tracking - but if you have a Google account, you've already lost that battle.
This is a completely reasonable business decision and trade-off.
