In some ways, we've taken a few steps back from a programmable web—two things I miss: bookmarklets and user scripts. Imagine having a bookmarked shortcut to do complex things like taking screenshots or saving a PDF. Or running scripts to automatically change the styling of websites, removing annoying sections (not just ads!). All of this used to be possible.
They were a deliberate feature in this sense: I invented the
User scripts took this even further – Greasemonkey (and its successor Tampermonkey) – hosted a repository of scripts you could install and run on specific websites. These scripts added functionality to websites before companies could (or would) implement them – e.g., usability features for common sites like YouTube (add a download link), a queue for Netflix shows, or direct image links for Google Image Search.
Security policies have essentially killed the user script and bookmarklet ecosystem. Most of the scripts you can find on the remaining sites like Greasy Fork only provide minor improvements. The most-used scripts – like ad-blocking or annotating have become their own standalone browser extensions (e.g., AdBlock and Evernote/Notion Web Clipper).
The security benefit to consumers of blocking user scripts is probably a net positive for the average internet user. But why can't we have both? Surely we can find a way. Maybe running something like the QuickJS sandbox inside WebAssembly can provide a more secure way to access selective parts of the DOM.