tags:

views:

860

answers:

8
+1  Q: 

deny browsers without javascript enabled to use my php site

Hi,

Im writing a fairly small web application in PHP and intend on using DOJO to make it "fancy" and most likely handle some validation on the client side (there will be server side validation too).

I would like make JavaScript a requirement for my site, and therefore, if a user's browser has JavaScript disabled, or is not capable of JavaScript, they shouldn't be able to use the site at all, and get a message to notify them of this requirement.

I have seen other sites do this, but I can't work out how to enforce it.
For an example, attempt to log in here with username=user and password=user
http://demo.actitime.com/login.do?username=user

I would then want this same thing to happen on everypage.

Any help appreciated.

occhiso

+4  A: 

Two things spring to mind:

  • Use the <noscript> tags for content; and

  • In the case of that website and for similar functionality, instead of having a submit button, have a normal button with an onclick handler:

    <input type="button" onclick="documents.forms[0].submit();" value="Submit">

Can't submit without Javascript enabled.

cletus  2009-01-26 09:34:42
hitting enter would still submit, wouldn't it?
Murat Ayfer  2009-01-26 10:11:54
I actually did do this, but its pretty easy to insert a submit button using firebug. Appreciate your thoughts though, I think your the only one here who thinks this is ok - thanks.
occhiso  2009-01-26 10:17:48
If you ask a group of 'experts' and everyone says 'this thing you want is bad because of this and that' except for one person, I don't think it's very reasonable to assume everyone is wrong but you and this other guy.
Adriano Varoli Piazza  2009-01-26 11:40:17
Of course, everything can be done with enough time and money. It doesn't mean it's a sensible or good thing to do. That's why thedailywtf was born.
Adriano Varoli Piazza  2009-01-26 11:41:17
http://weblogs.asp.net/alex_papadimoulis/archive/2005/05/25/408925.aspx explains better than I can what I'm thinking of. Should be required reading.
Adriano Varoli Piazza  2009-01-26 11:44:54
@Adriano Varoli Piazza: everything can be done with enough time/$$. But developing a site that works well in two modes, script and noscript, requires more time/$$ than developing a site that works well in one mode. Let the guy chose his tradeoffs. He wants to alienate paranoid users, so be it.
Mr. Shiny and New  2009-01-26 14:36:54
Of all the answers give on this page, yours is the only one that actually attempts to answer the question, not redirect to graceful degradation +1
Allain Lalonde  2009-02-04 01:47:47
+21  A: 

I don't think this is a sensible approach.

Just put a little more effort in the site so users without javascript can access the site too. Don't forget that they are your customers. And they probably have a good reason to disable javascript.

Gamecat  2009-01-26 09:35:44
Nevertheless this is becoming increasingly common. Disable Javascript, go to www.cnn.com and then click on some articles.
cletus  2009-01-26 09:50:55
Well, even if everybody else does the wrong thing, that is no reason to do wrong it yourself.
Gamecat  2009-01-26 09:52:59
Who says its wrong? Javascript is becoming a baseline requirement, like it or not. As such Web developers will increasingly require it rather than spending time and effort worrying about what happens for the increasingly few who don't have it or disable it.
cletus  2009-01-26 10:03:34
With the rapid increase in security problems based on XSS and XSRF it's also quite possible that JavaScript is becoming inacceptable, like it or not. As such users will increasingly disable it rather than risk having their bank account emptied like it happend to their cousin.
Michael Borgwardt  2009-01-26 10:07:12
"Javascript is becoming a baseline requirement" - only by naive people like you. It is more than possible to make most of your content available to non-Javascript users. The development community needs to be more aware of accessibility issues. Unfortunately, Stackoverflow isn't a glowing example...
roryf  2009-01-26 10:57:45
This doesn't answer his question.
Allain Lalonde  2009-02-04 01:43:46
Yes it does. Not supporting noscripts is a failure of design, and by extension you as a developer. The OP should revisit his assumptions, and this answer directs him to that.
annakata  2009-02-24 11:33:54
Progressive Enhancement and Graceful Degradation are like a mantra to me.
Gabriel Hurley  2009-07-18 20:34:03
+4  A: 

The only appropriate response to this is: "Why would you want to?"

Really, a better approach would be to try making it work first, then adding the fancy javascript bits afterwards. This way users that have javascript disabled can still use it, even if it has limited functionality.

hydrapheetz  2009-01-26 09:40:40
A: 

One reason is that I wanted a tabbed interface - which allows the same task to be done different ways. Alot of the same logic is used "per tab", so I didnt want to break it off to a separate page.

Using dojo, I can achieve this pretty easily by having all the content is separate div's on the same page, then dojo puts each div in it own tab. Without JavaScript, you would see all tabs (the divs) at once.

There are a few little hiccups like this, and I thought making it a requirement, it would always behave and look good, and those without JavaScript would miss out, baring in mind that this is by no means a mission critical site!

Also, this means I can enforce input validation without the user having to reload the page.

Is it really that bad?

occhiso  2009-01-26 09:54:32
No it's not that bad. It's understandable in fact.
cletus  2009-01-26 10:04:36
Yes, it's definitely that bad. You're telling people "If you want to use my site, I want you to open yourself to security holes that could mean your bank account gets emptied. And if you're visually impaired, I don't want you here either!"
Michael Borgwardt  2009-01-26 10:10:40
The people without javascript might decide that they like a broken site better then no site at all. I would say, if there is no javascript a "won't work without javascript, proceed at own risk"-warning would be the best solution, but with the possibility to try it anyway.
sth  2009-01-26 10:11:23
instead of loading all divs at once, i would use ajax, and i would support direct linking to each tab. this way, people can open up those links on separate tabs on their browser, and also be able to see them without javascript.yes, it's bad.
Murat Ayfer  2009-01-26 10:15:56
If you don't take enough time to make your site at least semi useful with javascript then I won't take the time to add it to my noscript allow list.
Jared  2009-01-26 10:19:27
@Jared: ITYM 'without javascript'
Adriano Varoli Piazza  2009-01-26 11:17:30
It's extremely bad if you don't have a captive audience. It's totally acceptable for line of business apps. Otherwise, cletus is just plain wrong. It's not hard to google a pile of info about *not* requiring JS, but as for requiring it... cletus stands alone.
Rex M  2009-02-04 01:55:48
+4  A: 

You know, the year is 2009, not 1997. These hacks belong to the past, dead and buried like the filth they were.

As for a useful answer: read up on graceful degradation.

As for your answer: CSS can accomplish what you're doing with DOJO with no Javascript at all (at least, the things you mention). It would require roundtrips to the server if javascript isn't enabled, that's all. I don't know what you mean by 'logic', but the canonical sense of the term is better done with PHP and possibly a templating system than by using javascript.

Input validation without a roundtrip is nice, but if I have no javascript or can't use it, server validation is better than no-frickin-site at all.

Yes, it is really that bad.

EDIT: Colonel Sponsz points out another useful link about graceful degradation.

Adriano Varoli Piazza  2009-01-26 09:59:09
Being the age of WEB 2.0 (not 1997), surely javascript is needed more and more with so many things using AJAX. I think your quite rude.
occhiso  2009-01-26 10:35:55
Au contraire, accessibility is more widely understood now - and you don't *need* Javascript to get things done. @Adriano - there needs to be server-side validation of all input anyway (client-side can be trivially bypassed) so it's not like this would even be more work.
Andrzej Doyle  2009-01-26 10:41:37
@dtsazza: oh, sure, and occhiso said it would be implemented too. I was just viewing it from the POV of the user. Which includes hackers that bypass js-only validation, I know.
Adriano Varoli Piazza  2009-01-26 11:14:20
@occhiso: I want to be clear. The examples you mentioned are _bad_ examples. I'm not calling _you_ a hack. I'm saying that this kind of programming belongs six feet under. If you didn't know, it's ok. Nobody's born knowing.
Adriano Varoli Piazza  2009-01-26 11:16:27
Input validation isn't really a good example because with or without client-side input validation you should never trust it and it should always be validated on the server regardless.
cletus  2009-01-26 12:04:40
The principles behind graceful degradation are better described by Progressive Enhancement: http://www.alistapart.com/articles/understandingprogressiveenhancement
Colonel Sponsz  2009-01-27 11:54:09
+1  A: 

Just put a script in your page that enables a session variable in the browsers that visit your site by redirect or submiting data using Ajax to the page that enables that variable. In the next click y the session does not have the session variable, you redirect it to another page, which one request a JavaScript enabled browser.

daniel  2009-01-26 10:37:56
+1  A: 

Some advanced users disable JavaScript by default, and enable it on a per-website basis. I would just warn them that JavaScript is required to go further. Use to dispaly the text to browsers without JS, or with JS disabled:

<noscript>
    <p style="color: Red;">Warning: JavaScript is required to display anything after you login. Please enable JavaScript or use a different browser</p>
</noscript>
Julien  2009-02-04 01:40:59
haha advanced... you mean paranoid.
corymathews  2009-02-04 02:17:21
A: 

The best reason I can think of is to stop people accessing and using forms without java scripted based browsers so hiding from the Counters.

For example if someone decides to spam, even with capcha and hides their isp by not enabling javascript, (alot of counters rely on it), then I think it would be a good idea to ban all non javascript browsers on a website.

In fact I think I will.

Good idea 'occhiso'.

 2009-07-18 20:30:10
I can hide my ISP by disabling javascript? Are you really sure about that?
dxbmatt  2009-07-18 20:48:10

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases