I love the top gear reference, but surely May would have been the obvious choice, Hammond is just asking for a crash!

The Back to the Future trilogy is good for a re-view.

JavaScript (TypeScript) has access to cookies (and thus JWT). This should be handled by web browser, not JS. In case of log-in, in HTTPS POST request and in case of response of successful log-in, in HTTPS POST response. Then, in case of requesting web page, again, it should be handled in HTTPS GET request. This is lack of using least permissions as possible, JS should not have access to cookies.

JavaScript needs access to the cookies, they are the data storage for a given site.
To protect them, the browser silos them to the individual site that created them, that’s why developers haven’t been able to easily load cross domain content for years, to mitigate XSS attacks.
The security relies on the premise that the only valid source of script is the originating domain.
The flaw here was allowing clients to add arbitrary script that was displayed to others.
You’re dead right that only the way to fix this is to do away with JavaScript access to certain things, but it will require a complete refactor of how cookies work.
I haven’t done any web dev in a few years, this might even be a solved problem by now and we are just seeing an old school implementation. 🤷

20 years of professional developer experience and some outsider knowledge of what Facebook has done in the past.

I’m not a cheap whore Meta, I expect to get PAID.

I’m only one voice screaming in the darkness, but I want to be clear.
These are not risks. These are certainties.
And the only thing we can do about it is refuse to participate in their bad faith actions, for whatever good that will do.

Maybe the client is faster/prettier/can show videos/uses less data/integrates with their phone better.
Maybe it’s got features that clients here lack such as the ability to host larger images or video.
Maybe the user is sick of responding to conversations over there and it not being federated, so they are ignored.
Maybe using the Threads app is just faster (because it’s local instead of batch federating).

If I was in charge of product design for Threads, I would be literally crawling the issue listings for Lemmy/Kbin and the associated clients looking for complaints and implementing solutions for those problems.
Then I would make a list of every limitation within the system and make sure Threads exceeds that baseline.

And then when I had made the software better in every measurable way (because I am paying a large team of developers to target those pain points), I’d start adding features that ActivityPub doesn’t, especially if ActivityPub instances would find those features hard to implement.

I’d make damn sure that every time ActivityPub changes from a source outside Meta, I’d drag my heels on implementing that feature, so that instance hosts are forced to choose between implementing the new version, or maintaining compatability with Threads.

Why would a user here move there?
Because their spouse/coworker/friend tried to send something for the 50th time and the message just never came through.

Threads will mainstream threads.
Any good content here will be available to the Threads users, who will be oblivious to where it is coming from.
Eventually, Meta will take steps to break compatability, and lots of the most prolific contributors from here will move to Threads exclusively (for a host of valid reasons).
When it is no longer in Meta interest to federate, they will stop.

The fediverse will continue, but it will be weakened by it’s temporary reliance on Threads (who could afford to host large images/videos/etc, have lower latency, etc etc).

The issue was the owners choice of not federating with anything nsfw.

By moving to lemmy.world I could still post as much as I wanted to !australia@aussie.zone AND upvote boobs.

I moved from aussie.zone to lemmy.world already to get around federation issues.
Now beehaw.org has stopped federating with lemmy.world 🤷‍♂️

I don’t want to have half a dozen accounts so that I can access all the niches of this system, and yet it’s beggining to look like the dream of federation is stillborn.

Absolutely possible.
The key to simple self hosting is to have a dns record that points to your externally accessible IP, whether that be your real one or an external one hosted at a VPN provider.
If that IP changes, you’ll need to update it dynamically.

It’s becoming increasibly common to be a requirement to do so as CGNat becomes more widespread.

One of the newer ways to do that is with a Cloudflare Tunnel, which whilst technically is only for web traffic, they ignore low throughput usage for other things like SSH.