Because the code is being executed on my machine, with my data, using my online identity.
Until now, the general understanding for the web platform was that code that runs on a user's machine is also inspectable by that user. A large number of browser functions are developed with that understanding in mind.
You can argue that this practice should be changed, but that would be a rather fundamental change to the way the web works and the advantages and disadvantages should be discussed.
As a practical point: I don't condone cheating in multiplayer games, but the exact same obfuscation techniques that a game might use for legitimate reasons are also available to malware. If you make a general rule that programs should be hands-off to everyone except the devs (and browsers should change their tools accordingly), the same benefits will be given to malware.
> Because the code is being executed on my machine, with my data, using my online identity.
You chose to execute someone else's code by visiting their website. The mere act of voluntarily executing someone else's code doesn't entitle you to it's source. Feel free to not visit the site, and looking at the top Alexa sites, your insistence of code audit-ability would leave you with very few viable, high quality choices.
> general understanding for the web platform was that code....
Untrue. It just so happened that the early web was a collection of static documents, and js was a hack to add some trivial functionality. Only recently has the web turned into a full fledged app development platform.
> fundamental change to the way the web works ....
Again, this is an anachronistic view of the web. We're well past a collection of static documents
> the same benefits will be given to malware ...
Goes without saying that technology can and will be used for good and bad. While one can legislate to discourage the bad, simply demanding code to be open sourced, as an argument for deterrence is unture, inaccurate and hampers innovation.
In summary: No one is entitled to someone else's web app code.
> You chose to execute someone else's code by visiting their website.
I block JS by default until I get at least a basic understanding what the site wants to do. So I explicitly choose not to execute their code before I have some reason to trust the site.
> Untrue. It just so happened that the early web was a collection of static documents, and js was a hack to add some trivial functionality.
And yet every browser has a "view source" button and extensive developer tools to give users the ability to both inspect as well as change what the website is doing. Not to mention extension ecosystems that are all about tampering with website code.
> ...and hampers innovation.
Given how the web platform is still going strong after 30 years and in fact is one of the dominant and fastest-innovating software ecosystems today, it evidently didn't.
Actually, "view source" can be a driver of innovation by giving novices an easy way so see and experiment with real-world code and a way for the broader community to quickly learn from each other's mistakes: https://blog.codinghorror.com/the-power-of-view-source/
The presence of "View Source", or extensions, or the ability to modify js is not evidence backing "All web apps need/were-meant to be open source".
Just to be clear, you can pick any x86 binary and disassemble it to x86 assembly, and if you know your way around gdb, single step and view registers,etc. This is not evidence of "all programs were meant to be open source, else we'd not have disassemblers and debuggers"
And lastly, how you choose to enable/disable js is of zero relevance to arguments for/against open sourcing web apps.
> I block JS by default until I get at least a basic understanding what the site wants to do. So I explicitly choose not to execute their code before I have some reason to trust the site.
But then the only difference is unobfuscated wasm vs unobfuscated javascript. In both cases an obfuscation can easily hide the scary bits anyway.
Until now, the general understanding for the web platform was that code that runs on a user's machine is also inspectable by that user. A large number of browser functions are developed with that understanding in mind.
You can argue that this practice should be changed, but that would be a rather fundamental change to the way the web works and the advantages and disadvantages should be discussed.
As a practical point: I don't condone cheating in multiplayer games, but the exact same obfuscation techniques that a game might use for legitimate reasons are also available to malware. If you make a general rule that programs should be hands-off to everyone except the devs (and browsers should change their tools accordingly), the same benefits will be given to malware.