It's only a joke if you don't trust the js script. Just like any encryption or software is a joke if it is untrustworthy. Unless you have the source code, it is verified and you compiled yourself, then there is always a point of weakness there. You could say the same about SSL certs and HTTPS on any website, you are blindly trusting VeriSign (or cert authority).

With a small caveat for HTML5 apps where you can install a verified version of specific code you trust in your browser or your phone. And Node.js applications which run on the server side in a controllable version.

But above is just a nuance. I agree on the basic idea when it comes to Javascript you run in the browser, it is a lost battle - unless I get a SHA256 of every version of every javascript library and compare to that, and disallow other unreadable (random emscripten junk) scripts on random pages you visit while browsing. That is why I have NoScript installed, and only allow handpicked sites to run javascript in the browser.

If only we would have had the declarative approach (I still am a little grumpy that the browser makers abandoned W3C and the far better designed declarative technology XHTML2 + XForms to pursue what is now HTML5).

Oh come one. The issue was with the developer using the environment that browsers present incorrectly and it wasn't an inherent flaw of the language.

A stupid/malicious designer will always exploit features of a language to reduce/eliminate the security of the entire system.

Don't be hating on js for the sake of hating on js!