Why is JavaScript allowed to be disabled in the browser? (i.e. Why is it considered bad?)
+22
A:
Why is javascript allowed to be disabled in the browser? (i.e. Why is it considered bad?)
Because it can be grossly misused (blinking images, anyone?), may slow the browser down and of course there's always the (very justified!) fear of exploited security holes.
Konrad Rudolph
2009-05-25 14:23:07
i hope this isn't in (desc) order of importance...
nickf
2009-05-25 14:40:18
Hehe … rather the opposite, actually.
Konrad Rudolph
2009-05-25 14:46:46
Also let us not forget what happened on SO on April 1st. The horror of it remains with me to this day...
Manos Dilaverakis
2009-05-25 14:49:51
You can put both blinking and animated things on a webpage without JS. (In some browsers you can disable these with a hidden feature, and in others it's impossible.) I don't see much in the rest of modern web browser design to suggest that things get an off-switch for merely being something which "can be grossly misused".
Ken
2009-12-06 04:21:32
I dare say most blinking images are *not* implemented using Javascript and are just good ol' animated GIFs.
deceze
2009-12-06 04:28:49
@Ken: well, you can switch off CSS as well, and most browsers quite easily allow to switch off pictures as well. Not to speak of Java, Flash and other browser plugins. The fact remains that almost *any* feature of a web browser, even core features, can be switched off, contrary to what you said.
Konrad Rudolph
2009-12-06 13:38:40
Konrad: In every browser I've ever used, disabling JS is a highly visible checkbox near the top of the standard preferences. If you know how to disable other features in other browsers, I'm sure the internet would love to hear about it, e.g., animated GIFs are a hidden pref in Firefox, and (AFAICT with a couple minutes of googling) impossible to disable in Safari. You're right that "almost" any feature can be disabled in "most" browsers, but disabling JS is *always* super easy in *every* browser, and disabling other features is somewhere between "harder" and "impossible".
Ken
2009-12-08 05:56:19
+2
A:
It can cause security problems. Especially in old versions of IE (not so much anymore).
Or maybe it has something to do with Stallman's ranting ;-)
Zifre
2009-05-25 14:23:20
+5
A:
First of all with Javascript you can create events that the user might not want you to, like e.g. changing the size of the window...
On the other hand think about people who are somehow limited... What if your user was blind and uses a screenreader while your page continously changes its content somehow... There are many reasons against Javascript when it comes to accessibility...
Kevin D.
2009-05-25 14:25:42
+3
A:
Back in time, it used to be:
- A source of annoying cursor-following animations (I am sure you remember stuff, like raining sheeps or clocks following your cursor... I want to find the smart*** who thought of that and slap them with a trout)
- Considered insecure
- Served no purpose but bog down the browser
However, over the years it has become more advanced and applied with more thinking behind it.
Dmitri Farkov
2009-05-25 14:26:35
+4
A:
Historically it has been a huge security problem for web based services. Also with any technology that is exploitable and has a low technical barrier for entry it ends up the tool of the low brow trouble maker (script kiddies). Quick searches for javascript or xss in a security exploit database will show hundreds of pages of vulnerability.
Copas
2009-05-25 14:28:09
+2
A:
JavaScript is often considered dangerous or at least annoying for two reasons:
- Websites can suddenly do stuff that you don't want them to do, e.g. open popups
- Websites can suddenly keep you from doing stuff that you want to do, e.g. disabling right-clicks
Now, in the vast majority of cases JavaScript is harmless and can really enhance the user experience (Ajax comes to mind). But all it takes is one malicious site that uses JavaScript to do evil (TM) things like Cross-site Scripting. For that reason it is commonly considered best practice to disable JavaScript globally and to allow it for just those sites or domains that you explicitly trust. In this day and age being paranoid on the Internet is actually a good thing.
n3rd
2009-05-25 14:31:48
+1
A:
JavaScript, as the inventor of JSON called it, is the virtual machine for the world. It's where billions of people are. This great exposure comes with some dangers other languages do not have to face.
Example. Write a site that just 'redirects' you to another site, where you can sign in. If you are not completely in control of your browser/URL etc. some JavaScript just could have loaded the page content from another site and will log your keystrokes. This could be achieved with a few lines of JavaScript. It's not really the fault (if it's a fault at all) of JavaScript, but all the components (browser, HTML, and this vast space, we call Internet).
The MYYN
2009-05-25 14:39:24
+1
A:
As well as what others have said it confuses search engines. The more 'dynamic' content you add the higher the chances it cannot be indexed. In addition the Internet is used by many as a reference library. Books in a real library do not change things around while you are reading the page. You may think of your site as an "application" but your users may prefer to treat it as a "document".
In short JavaScript obfuscates information, sometimes to the point of completely denying access (i.e., the JavaScript code is buggy and crashing). A classic example of this was that I was unable to watch the Live8 concert broadcast by AOL a few years back because the JavaScript code was so poorly written it didn't actually work on my girlfriends' AOL browser (ironic I know). I tried to get to the movie URL directly but the obfuscation was so complex I couldn't find it. It did nothing to endear me to AOL.
BTW, I happen to be one of those people who disable JavaScript by default. If I need it I can enable it for a specific site or page in 2 seconds (really) using the NoScript add-on for Firefox.
SpliFF
2009-05-25 15:05:26
+10
A:
<body onload="for(i=0; i<1000000; i++){window.open(
'embarassingpornsite.com?pageid=' + i);}">
Steven A. Lowe
2009-05-25 15:06:36
"Server not found: Firefox can't find the server at www.embarassingpornsite.com."
Thomas
2009-12-06 16:28:53
+2
A:
The main consideration is security. Drive-by downloads that exploit browser security holes via JavaScript are currently the most common way for malware to spread.
Michael Borgwardt
2009-05-25 15:15:39
No, I think malware usually spreads by user stupidity ("social engineering").
Zifre
2009-05-25 19:30:01
I would also have to disagree. Javascript is ran in a sandbox model, and it cannot write any changes to disk by itself, it requires the user to accept the download and run the program (expanding on Zifre). To blatantly say that Javascript by itself allows malware to be installed is inaccurate. I would say that exploits that allow a Javascript application to write something to a disk and execute it is VERY RARE. Assuming of course the user wasn't stupid and allowed such a thing, but by default JS apps are not allowed to read/write/execute to/from disk.
Nathan Adams
2009-12-06 04:00:15
I thought Flash was the #1 cause of security problems in modern browsers.
Nosredna
2009-12-06 04:08:10
Yeah, Javascript is safe *in theory*. In practice, exploits that allow the attacker to execute arbitrary code (i.e. do whatever he pleases) are VERY COMMON: http://www.developingsecurity.com/weblog/2009/09/crossing-the-border-javascript-exploits.html Though in many cases JavaScript is an intermediate agent used to exploit vulnerabilities in other components. And no, it doesn't matter than "it's not really the fault of JavaScript" in those cases.
Michael Borgwardt
2009-12-06 07:43:42
+2
A:
It's a weakly-typed scripting language. Programmers who usually use "big strong" languages look down upon such nonsense. Shame on you for even considering using it, and my God have mercy on your soul.
mocorp
2009-12-06 03:00:02
+1
A:
Why is javascript allowed to be disabled in the browser? (i.e. Why is it considered bad?)
Because browsers are not prefect! And Its give you the way to safe yourself when you need it.
When security risk found out, they will just post in their home page
Please disable javascript until its fixed
Like this, (I dont have offical page right now, so googled from somewhere)
http://browsers.about.com/b/2009/07/16/firefox-3-5-users-should-take-action-immediately.htm
However, until a fix is released, I recommend that you either disable JavaScript completely or use another browser.
S.Mark
2009-12-06 03:03:37
+1
A:
There are a few rare instances where JavaScript can be dangerous (but so can anything, including the massively ubiquitous Flash). The reason users actually do disable it or use addons like NoScript is largely unjustified paranoia.
In the end, users don't stick with behavior that breaks the websites they want to experience. So, I wouldn't expect JavaScript paranoia to be a long-term issue as only more and more sites depend on it (like this one).
It's similar to the hype we saw around cookies several years ago.
Dave Ward
2009-12-06 03:05:01
+1
A:
Some companies, or business units, have a policy of not allowing javascript turned on, as there are concerns about any risk of security exploits, and that may be the biggest problem, that since it can't be locked down securely then it must be disabled. If you can run javascript in a strict mode, that doesn't allow ajax requests, for example, then you may find that more people are willing to use it on computers that are concerned about security.
As long as a user can go to a website, and information can be sent transparently over the Internet regarding what a user is doing, then these security concerns will exist.
For example, I could have a Firefox plugin that appears to be useful, but, it can do possibly send unwanted info to a website.
James Black
2009-12-06 03:05:43
+1
A:
JavaScript has some very "odd" language features, like the handling of missing semicolons at statement endings by just ignoring the parse error ("semicolon insertion") or the behaviour of the typeof operator (array is an object).
You really need to know the language to know which things you should do and which are bad.
But there are also really good points about the language, like that it fully supports functional programming.
Axel Gneiting
2009-12-06 03:09:50
A:
It can crash the browser, or do annoying things to users.
However, now a days Javascript has become such an integrated part of the internet (Gmail, bill paying for many companies sites, ect) that if you did disable it then browsing could arguably be difficult for you unless you had exceptions.
Nathan Adams
2009-12-06 04:02:34
A:
It is bad only you visit questionable sites. Without javascript you won't have apps like gmail, yahoo finance, etc.
fastcodejava
2009-12-06 04:22:50
A:
Because it shifts load from the server to the client and there is no way to control to what extent.
I work with Javascript every day and respectfully acknowledge what it has made possible, but sometimes when I browse a very simple page, and the interface reacts lightning fast because there is nothing to render but pure, simple HTML, I think that that used to be the original purpose the purpose of the internet. You can, and I am exaggerating only little, browse these pages with a 600 MhZ Pentium with 128 megabytes of RAM without problems. While for a Javascript-heavy, effectful "rich" website, you need massive resources on the client side for a halfway smooth experience, and you need to update your equipent almost as often as gamers do.
Also, I generally feel some, not hostility, but slight annoyance towards Javascript because it massively increased development costs by adding a host of incompatible target platforms, version, obscurities and specialties to cater for, as well as a generally bug-prone, hard to debug and volatile environment to work in.
That said, I think the industry owes the creators of JQuery, Prototype and the likes big, big thanks, among many others.
Pekka
2009-12-06 04:33:11