What's with those Do-Not-Use JavaScript People?

Question

I really don't understand what the problem is with those people who ask you not to use JavaScript on your site.

I went through all sorts of trouble trying to remove a couple of JavaScript scripts I used on one of my sites to appease a couple of "complainers". A month later, after a relentless attack by spam bots, I decided I better add the JavaScript spam prevention code back in.

JavaScript is obviously used by a lot of programmers. It is currently the 6th most popular tag here at Stack Overflow. It is used on practically every single website that I know of.

The claim that it is a security risk seems bogus to me. I've had JavaScript on in my browser for as long as I remember, and not once have I found out that anything malicious has happened.

JavaScript has, of course, been extended into AJAX. And AJAX is the thing that makes the wonderful world of Web 2.0 work. And that includes this wonderful Stack Overflow site.

So is there something I'm missing? Is there something wrong with JavaScript that I'm not aware of?

---

Follow-up:

I am flabbergasted by the response to my Question.

The responses are strong and vociferous from the Anti-JavaScript people.

There was one pro-JavaScript comment, and it was voted down (as I write this to -2) by the others.

I turned JavaScript off to add this follow-up. I immediately notice three obvious things (There might be more):

1. A big annoying white on red banner at the top of each page saying: "Stack Overflow works best with JavaScript enabled". (Annoyance)

2. Comments cannot be viewed at all or added. You can't vote up or vote down. You can't select the accepted answer. (Loss of functionality)

3. Of course none of the AJAX stuff works. I don't have access to the line of editing tools above this entry box, and I can't see the preview as I type this. (Inconveniences)

So as far as I am concerned, turning your JavaScript off results in Annoyances, Loss of Functionality, and Inconvenience.

I'm sorry for the handicapped people who have no JavaScript support, but I still don't get why so many of you are so religiously against using it.

Personally, I love what AJAX and its beautiful interfaces and enhanced functionality are doing to the Web. I try to add such features to my site and it annoys me when the Anti-JavaScript people ask me - no, demand of me to take it out because they can't access them.

But how many of you use Stack Overflow with JavaScript off? None I would expect. Your answer would be that you turn it on for sites you trust like Stack Overflow.

Okay. If I make a site that uses Ajax or JavaScript, then I'm fine with you turning it off until you decide to trust my site. But don't expect me to be required to give you all the functionality that I do to people who trust me. Even Stack Overflow doesn't.

If someone wants to embellish this idea, I'll give them the accepted answer.

---

Also see the question: Is it worth it to code different functionality for users with JavaScript disabled?

and my answer to that question (which, when I last looked, had been voted down by the Do-Not-Use JavaScript people).

---

Followup. I found the following opinion about JavaScript at the WP-SpamFree WordPress Plugin page:

"Most of the spam hitting your blog originates from bots. Few bots can process JavaScript. Few bots can process cookies. Fewer still, can handle both. In a nutshell, this plugin uses a combo of JavaScript and cookies (on steroids) to weed out the humans from spambots, preventing 99%+ of automated spam from ever getting to your site. Almost 100% of web site visitors will have these turned on by default, so this type of solution works silently in the background, with no inconveniences. There are extremely few users (less than 2%) that have JavaScript and/or cookies turned off by default, but they will be prompted to turn those back on to post their comment.

Stats show that among all Internet users, less than 2% have JavaScript turned off, and less than 1% have cookies turned off. This requirement isn’t anything out of the ordinary because most modern websites require the use of JavaScript and cookies for key features — AJAX, for example, won’t work if JS is disabled.

Overall, the very few that might be inconvenienced because they have JS and cookies turned off will be far fewer than the 100% who would be annoyed by CAPTCHA’s, challenge questions, and other validation methods."

Answer 1

Some mobile browsers do not support Javascript and relying on Javascript might render them unsupported.

Answer 2

Cross-site scripting is a major concern. Also, just because you have not found out that anything bad has happened is not a reliable indicator that it hasn't.

Answer 3

Javascript is not good or bad, in the same way that a hammer is not good or bad. It's what you do with it that is good or bad. Many of the sites that use Javascript, use it where it is not actually necessary.

Some reasons why Javascript should not be overused:

• search engines don't pick up script-generated content
• creating a nontrivial script that works in all browsers can be tricky
• many basic things can be achieved using CSS instead, which degrades more gracefully
• XSS (as recursive mentioned) can make bad things happen to your visitors if you screw up (although scripts might still be injected even if your site is Javascript-free, of course)
• you might think that every browser nowadays supports Javascript, but with more and more people using script-blocker extensions like NoScript for Firefox, this does not have to be true

Bottom line: Javascript should be used to enhance the website, but so far as humanly possible, the site should still work without it.

Answer 4

My feelings about JavaScript can be read at my answer to another question. I'm definitely pro-JavaScript. However, after reading through the forum thread you linked to I have two thoughts.

1. Some users will refuse to use JavaScript, as you have seen from other answers to this question. There is no way to change this fact. You have to decide if you are willing to lose those users. If you aren't, then you must provide an alternative method.
2. My suggestion to you for your particular problem is to use your spam prevention JavaScript for users who have it enabled. For users who do not, implement a CAPTCHA solution. This gives the majority of your users the better experience, while providing the small minority the opportunity to use your site with slightly more inconvenience.

Answer 5

We are worried that by visiting an evil site, it will attack our internal network, make a request to another site that I am logged into, or perhaps things like the myspace worm.

• http://www.betanews.com/article/Symantec_Change_Your_Router_Password/1171644147
• http://en.wikipedia.org/wiki/Cross-site_request_forgery
• http://en.wikipedia.org/wiki/Samy_(XSS)

I choose to use the firefox plugin noscript. This allows me to whitelist sites I trust.

Of course we also get annoyed at stupid things web developers try to do with javascript like break the back button, prevent me from saving images, popups, etc. Disabling javascript makes the web a far less annoying place.

Answer 6

The browsers used by blind/disabled people have limited or no javascript support.

Answer 7

My 2c (and why I disable every Javascript feature I can in Firefox aside from basic Javascript):

Client-side scripting is typically associated with annoying client-side behavior. From popup windows, to window move/resize, to status bar overwrite, to blinking images, to browser-specific interfaces: virtually everything annoying in the early days of the web was enabled by Javascript. Now, of course, there are many other ways to annoy, and a similar number of blocking addons, but Javascript is the grand-daddy of web pain and frustration.

I'd guess that (aside from security issues and legitimate complaints), that's the primary reason for residual Javascript hate.

Answer 8

I'm pro-Javascript. People that disable it have only themselves to blame. I haven't read a single reason in this thread yet that would justify doing so.

However search-engine optimization and acessibility are serious concerns for some websites, so that is a reason to cut back on the JS goodness.

That said, I too first check if a particular effect can be achieved with pure HTML/CSS, and only then resort to JS if nothing else works (or I need a very complex behaviour).

Answer 9

Just make sure that a webpage's basic functions work for everybody. There are valid reasons that webpages should be usable without JavaScript: Accessibility (a.k.a. for users that have to access webpages via non-standard browsers), machine readability (a.k.a. search engines, ...), even some nasty ads can go away if you disable Javascript. And yes, a page could request some stuff from somewhere else without you noticing, but it could also do that with a simple iframe or an img...

However that does not necessarily mean, that all functionality needs to be available. If it protects you, require JS for comments (as long as you can live with some people not being able to leave comments). That's a business consideration you've got to make. Noone can expect you to leave out your security just to allow them to be paranoid.

It's your webpage after all.

---

BTW: Yes, I'm very aware that this is a very controversal view, especially because it has "religion" involved.

Being on the "ripped off" side of the medallion for some time might have affected my point of view a bit, so I'm very much into protecting myself (as the person running a website) BEFORE protecting others. Obviously that does not give an excuse to allow the users to be attacked (i.e. you've got to do everything possible to avoid XSS, XRS, ...), but if you can help yourself (and - in fact - your users, because nobody wants an endless list of spam comments) by adding javascript to your comment mechanism: do it!

Answer 10

Doing government websites and others there is a requirement for accessibility. These specifications are quite rigid, and require the site to work without javascript. That doesn't mean you can't use javascript, but just that the site needs to degrade well and still work without the javascript. This is a lot of extra work, so some just say don't bother and go with the least common denominator.

Answer 11

Javascript is a major attack vector for drive-by downloads.

Many browser vulnerabilites can only be attacked through javaScript, and about half the security alerts issued about browsers read "while we're working on a patch to this vulnerability, you can protect yourself against it by disabling scripting".

On what machines do you think those spam bots are running? Nowadays, most of them fell victim to a drive-by download on some website that used Javascript to attack a browser vulnerability, and in many cases the malicious code got into that website through an XSS attack. A study conducted by Google last year found 10% of all websites they surveyed to contain such attacks!

So yes, Javascript (Flash too, btw) is very much the problem, not the solution, and it's becoming a bigger and bigger problem. Eventually it will be too big to tolerate; you better be prepared to find a way to make your website work without Javascript when every single Joe User out there has (or closely knows someone who has) had their ebay acount, paypal account or even bank account broken into, and is told they could have avoided it by deactivating Javascript in their browser.

Of course, this is a worst-case scenario, and maybe browser developers will manage to get their act together, or some sort of sandboxing technology for Javascript engines (or the browsers themselves) becomes prevalent, though that would still do nothing to counter XSS.

But saying that Javascript is not a problem right now betrays appaling ignorance in someone who develops web apps professionally.

Answer 12

Is there something wrong with Javascript that I'm not aware of?

Javascript annoys me when it is required for the site to function, especially for things that should not depend on it (like opening a link). Basically your site should work perfectly with Javascript disabled - the Javascript should just make it nicer to use.

Say I have javascript disabled (for whatever reason - security, paranoia, CPU usage, ad-blocking etc), I should still be view that picture, albeit not with a fancy Lightbox effect, or submit a form, again albeit without dynamic in-line error reporting)

There's nothing "wrong" with Javascript, it just shouldn't be obnoxious, or mandatory.

Answer 13

Where I work we place quite a lot of emphasis on website accessibility. Unfortunately, this means that excessive JavaScript use is hard to justify.

Every piece of JavaScript we use requires back up functionality to be in place for people who don't have JavaScript support (for example people who rely on using screen readers for browsing web sites).

I love JavaScript and the power it gives you on the client side but in the end we build sites that we want as many people as possible to be able to access and this therefore means that JavaScript use is limited.

Sometimes it's just easier and quicker to build the functionality without using JS rather than doing the same thing twice.

Answer 14

As this website needs javascript (at least if you want to access all features), you will only have a few users here, that are skeptical against Javascript. But it is true, that Javascript is the main vector for installing malware on end-user-computers. Many sites are infested, and the maintainer of the site don't even notice, because the site works as expected, but additionally is malware installed secretly. Besides that Javascript is often used for annoying stuff. Some appliances doesn't support Javascript or don't support it well. Javascript also can make a website problematic for blind users. So a mentionable amount of users can be scared away from your website by making Javascript necessary. Optional Javascripts don't prevent these users.

A good website-example is the Wikipedia. It uses some Javascript, but works perfectly without it.

EDIT: Twitter shows clearly the security-problem with Javascript. Some may argue, that is a problem with wrong code at Twitter, but if even such a big website cannot keep XSS out, how is it with local and small websites? It's not uncommon, that hacked websites execute silently malicious Javascript. Turning Javascript off is at the moment the best solution to that problem.

Answer 15

The claim that it is a security risk seems bogus to me. I've had Javascript on in my browser for as long as I remember, and not once have I found out that anything malicious has happened.

I'm sorry but this is a pretty lame excuse. Because you got lucky, you didn't visit so much dodgy websites or you kept your windows update all the time it doesn't mean others will do that as well. And there is still 0day attack window (time between the exploit and patch release) which is all about being a target and luck.

Defence in depth is crucial, 95% of the browser client-side attacks uses Javascript to deliver the exploits. Therefore disabling javascript is a really smart idea.

Secondly usability and accessibility issues. Javascript is a big problem.

Finally CSRF is nothing to do with Javascript in most of the CSRF attacks you don't even need Javascript. (you only need it if it's a POST request, and even in that case you just need to make a huge CSS and submit the hidden form in any click to the page. so still you can do it without javascript)

XSS is client protection and not the website. If your website is free from Javascript, you can still be vulnerable to XSS. Not using Javascript as a developer is not going save you against XSS. But as a visitor of the website disabling javascript can protect you against XSS.

Answer 16

"To Javascript or not" has valid, compelling reasons on both sides of the argument, which is the definition of a "religious argument".

I prefer to develop websites with Javascript not because it makes it easier (it definitely doesn't!) but to meet the requirements of the people I am delivering to, that the application be all whizzy and modern. However, building in Section 508 compliance will probably come as a shock to the project sponsors.

Answer 17

This backlash against Javascript, which is a lot more common than you'd think, makes me wonder how the notion that "client apps are dead and Web apps are the future." You hear this all the time. I don't really understand how both of those notions can be so prevalent. I'm not talking about social bookmarking web sites, but actual applications.

Answer 18

As far as I'm concerned, as long as you follow the practice of Progressive Enhancement, you can use as much javascript as you feel is necessary to create your web application.

The users who run into your site with JavaScript disabled or not supported will still have full functionality. The rest of your users will see your animations, AJAX calls (and thus less postbacks or redirects), and other dynamic features.

It requires more work, but it really is the best solution. Remember that there are limited cell phone browsers, old computers with old browsers, alternative browsing methods (screen readers, crawlers/indexers), and people who purposefully turn JavaScript off. It may not even be the majority of your users, but it can very useful to cater to them.

Answer 19

I use NoScript in Firefox, and by default no Javascript will work. I allow scripts on a case-by-case basis.

Therefore, if you want me to let you execute Javascript at my browser, you need to give me some reason to do so. Some reason that I can see without turning it on, because I don't turn scripting on without a reason.

This doesn't mean I expect full functionality without JS. This means I have to have enough functionality to see what I'll be getting by turning it on, and enough to give me some sort of feeling of trust. This isn't necessarily ideal from a security standpoint, but it's what I'm comfortable with.

There's also my feeling that people who demand Javascript for even partial functionality are likely to put style way over substance, so there likely isn't anything I really want there anyway.

Answer 20

My feeling is that turning Javascript off in your browser is like taking all the lightbulbs out of your house in case you get electrocuted, but then complaining that it's dark at night time.

I'm not going to put objects in front of you to trip over in the dark, but don't expect me to go buying flashlights for you.

Answer 21

My take on the whole issue is as long as you're coding your Javascript to add to the users experience in a positive way, you're using Javascript correctly. The reason many disable it is because there are many terrible developers and companies out there that abuse Javascript for advertising, spam, harassment, and other nefarious ends.

Javascript brings a whole new experience to uses via Ajax, and several other frameworks/applications and shouldn't be ignored completely. There are compatibility issues galore but so does CSS and standard HTML, but we still use those day in day out.

I agree with an above post, "Javascript is not good or bad, in the same way that a hammer is not good or bad. It's what you do with it that is good or bad.". And the same could be said for any programming language.

And for those turning off Javascript entirely, you're missing out on a world of convenience and neat tricks that have helped push the web into the so called 2.0 and 3.0 web experiences.

Answer 22

Javascript can certainly be used to make a site more accessible. Look at Google's Keyboard Shortcuts Beta

If you visit this site without javascript, you'll see that it acts no differently from a typical google search. Visit it again with javascript enabled, and you'll find that the "j" and "k" keys will move to the next and previous search results (respectively), and navigate to the selected item upon pressing the enter key.

It is the responsibility of the developers to consider accessibility (such as alt text, etc.). A common problem is that some developers rarely make it a priority.

Answer 23

I found the following comment at: http://www.exaflop.org/pivot/entry.php?id=115

I believe 2 [requiring javascript] isn't a major issue in that you can put a message on your comment form to the effect that if you are unable to use the form, please send an email and you'll add the comment for them. Maybe that will put some people off, but it shouldn't ... Besides, many people are now using conventional Javascript browsers with screen reader software instead of the old text mode browsers like Lynx, so this problem should diminish for disabled users. As for the tin-foil-hat-wearers that disable javascript in their browsers out of paranoia, they can stay silent for all I care :).

Answer 24

I think a lot of users dislike javascript because it is yet one more thing that takes control of usage out of the user's control.

Besides the security concerns, javascript is very, very easy to do badly. Novice interface designers can cram tons of useless gimmicks into a webpage and set off a cascade of side effects that the user cannot control.

My personal pet peeve is the "Are you sure you want to leave our wonderful site?" popups that show up apparently at random.

No code should be configured in such a way to wrest control from the user. Every interface should have simply one user-action to one result correspondence. A button shouldn't have result A on Monday and result B on Tuesday. (Or worse, the button behaves differently depending on many times you have hit it previously!)

Javascript can be a joy on the site of a responsible and competent developer but if even just 5% of sites use javascript incompetently, abusively and even criminally, a lot of users will decide the benefits just aren't worth the hassle.

Your site might have a lot of nifty javascript features but if the next site I navigate to uses javascript to insert a trojan, the benefits that your javascript provides won't offset the damage caused by the next guy.

Answer 25

I'm not surprised that there is a vocal anti-javascript bloc among developers. Its a language with a checkered past. The flexibility of the language backfired, resulting in a web that sometimes feels like a stinking pile of badly written javascript hacks.

But I have a feeling that a lot of the anti-js sentiment comes from the time when js as what you used to make your cute flying mailbox animated gif open your guestbook in a new window, or what generates the storm of pop-unders when you try to leave a porn site (don't pretend that isn't what annoys you about js! You know I'm right!).

Javascript is evolving. In the last couple years it has been embraced as a first class language, suitable for serious application development. You can decide to use NoScripts or the like, and only turn it on case-by-case, but you're going to find yourself turning it on more and more often.

Other answers have mentioned the accessibility issues, and of course the security issues, and others still have talked about solutions to those issues that don't include "ditch js" (how do you impliment keyboard shortcuts without js??). I welcome high expectations, but you can't bitch and moan without also talking about solutions.

Javascript is not the problem. As a designer I build sites with accessibility, security and compatibility in mind. I do so assuming js will be turned on. I contend that this is a reasonable design assumption. Things should degrade gracefully of course, but opinionated developers who turn off js to make a point are not users I design for.

Answer 26

The whole idea that web 2.0 should degrade gracefully to 1995 is ridiculous.

If you going to gmail, ya better be at least 5 years current. And is that too much to ask?