

Say “Yes” to JavaScript - ch0wn
http://lucumr.pocoo.org/2013/7/1/say-yes-to-javascript/

======
betterunix
Sorry, but Javascript is a mess and 99% of the things I see it used for _have
always been possible without it_. Why should I open myself up to the myriad
privacy and security headaches and various other annoyances that come with
Javascript, if you are not using it for something more than _submitting forms_
, _loading images_ , or _clickable links_?

"Some applications now are written as frontends to APIs and the application
does not provide any rendering on the server side besides a nice error message
that the website requires JavaScript"

1\. Fix it

2\. Stop using those APIs if they will not fix it (otherwise things will not
be fixed)

"Many modern web applications can be much more performant because they take
advantage of JavaScript"

That's nice, but I do not want you offloading your computation onto my
computer. I may allow something like Folding@Home, but why should I allow
something like rendering advertising?

"User interfaces that depend on JavaScript have much better abilities to make
it enjoyable for a user"

User interfaces that _work with or without Javascript_ and _only use
Javascript as an enhancement_ give you the best of all worlds. It is not
impossible, you are just being lazy and trying to shut out people who disagree
with you.

"A good example for instance is payment handling on the internet."

This is kind of like saying, "Every car should have OnStar; a good example is
refueling!"

"You don't get extra privacy by disabling JavaScript"

Javascript _on its own_ is sufficient to carry out numerous privacy
violations, and presents various security problems. Yes, there are other
things you can do, but if I stopped you from using everything else you could
still use Javascript to accomplish your aims. Javascript also presents
problems for Tor users, who might be de-anonymized (accidentally or
deliberately) if they allow Javascript to run.

"At the same time I can enhance your browser experience"

Please do not do this; I do not want you "enhancing" my browsing "experience."
All I want is to get the information I asked for, maybe post some comments,
and manage my finances. I do not need any of these websites to have fancy UI
effects, and while client side validation may be convenient for me it is not
something I will miss terribly. My browser already knows what tabs are, how to
load images, and how to submit forms. What are you adding that is worth the
added risk of Javascript?

"We as developers should be happy that browsers go our way and make our life
easier."

Sorry but my browser is supposed to work _for me_ and not _for you_. If this
is your argument for Javascript -- it makes _your job easier_ \-- then I see
no reason not to keep it disabled _by default_. If life without Javascript is
so terribly hard, the problem is with your techniques, frameworks, and designs
-- fix those and leave my browser alone.

~~~
joelanman
"You are just being lazy"

Why is this a value judgement? Making an interface work with and without
Javascript takes more time - that's a given. Surely it's up to the team
working on it to decide if that time is better spent on something else?

~~~
betterunix
"Making an interface work with and without Javascript takes more time"

It should be a one-time cost if your design is not broken somewhere. There is
not a lot of functionality that _requires_ Javascript. I understand that
having an in-browser spreadsheet automatically update cells as things change
is going to be tough without Javascript, but that does not excuse the more
basic things people use Javascript for: form submission, hyperlinks, _loading
text_ , etc. Your design is flawed, at a fundamental level, if you need to do
a large amount of extra work to have this basic functionality work without
Javascript.

Really though, in an age of web toolkits and large frameworks for creating
pages with all this Javascript, there should not be any need to make such a
choice. Whatever you are building your website on should already support a
non-Javascript version; the only real issue is when you need to do something
that is not already part of that toolkit. Again, I understand that _sometimes_
Javascript really does make a particular feature of a website possible, but I
am asserting that the _vast majority_ of Javascript out there has nothing to
do with such features.

"Surely it's up to the team working on it to decide if that time is better
spent on something else?"

Users have to deal with the consequences of those decisions. If I cannot pay
my hospital bill without enabling Javascript, then I have to enable Javascript
-- regardless of my reasons for disabling it (and if for some reason I cannot
enable Javascript at all, I cannot pay my hospital bill). Whitelists are not
really a great solution; any NoScript user has surely had to play the "enable
Javascript here, here, here, and here" game, trying to guess which scripts are
important for a website to function and which are malicious advertiser
scripts.

~~~
epochwolf
It's not a one-time. It's a continual maintenance headache. JavaScript allows
for much nicer user interfaces than anything HTML can provide. As for
gracefully degradation, I don't have time to support people without
JavaScript. The best I can do is prevent those people from ever logging in by
requiring javascript on the login form and rendering the support links client
side.

------
dendory
I personally run JavaScript turned off by default, but I'm still ok with
Mozilla's decision. I use NoSxript which provides the right functionality to
do this, and anyone can download the add on. Completely disabling JavaScript
for all sites breaks a ton of stuff and very, very few users would want to do
that, hence no point in having it in the UI.

~~~
SeanDav
I also run with JS off by default and use the NoScript addon to control JS
whitelists and blacklists. I find it useful to remove all the tracking,
analytics and social bits that infest most websites. I get more speed and far
more security from drive-by infections.

Surprisingly I have found that quite a few websites look better with no JS,
probably due to their fancy fonts being disabled.

------
mpweiher
I find JS to be a good negative filter for sites that are large (in KB), slow
and have annoying/weird UI. Just like Flash.

I wish people would make good HTML/Web Apps instead of trying to (badly)
imitate desktop apps. To me, that means being lean and embracing the
transactional style (see 3270).

------
jiggy2011
Ideally I would like to enable Javascript for web _applications_ but disable
it for web _sites_.

I see very few convincing reasons to start running code in order to display a
text article or video, apart from better ad tracking.

~~~
drdaeman
Firefox solution to this: RequestPolicy + Self-Destructing Cookies + NoScript.

------
jol
The funny thing is that the article is published on a blog where only JS is
Google Analytics (50% of the download)... Yes, we need JS everywhere!

------
anotherhue
Slow JS might be annoying but it's not particularly concerning , what is
troublesome is the communication facilities of JS. I'd allow it by default if
it had to request permission to phone home.

Typical worrisome cases are when a malicious script scrapes credential forms
or the tracking of mouse cursor movements / page scrolling for advertising
analytics.

Essentially, I'll tolerate the web server having logs of my access to the
page, but what I do once I've rendered the page should be my own business.

~~~
acdha
> Typical worrisome cases are when a malicious script scrapes credential forms
> or the tracking of mouse cursor movements / page scrolling for advertising
> analytics.

You do realize that the only way JavaScript runs on a page is for the remote
site to choose to include it, right? If you don't trust their JavaScript why
would you ever put sensitive information in a form and submit it anyway?

~~~
anotherhue
If we ignore any JS inserted by an attacker that has MITM abilities, then yes,
but consider the innocuous case of someone typing in a form field and then
changing their mind about what to say.

The capabilities of this company in particular might motivate a few readers:
[http://www.clicktale.com/products/mouse-tracking-
suite/visit...](http://www.clicktale.com/products/mouse-tracking-
suite/visitor-recordings)

~~~
acdha
If they can MITM you, you're already at risk in so many ways that trying to
worry about the vanishingly small percentage of times where someone enters
text without submitting it is just wasting time you should be using to setup
HTTPS.

------
tripzilch
Next you'll tell me we shouldn't be able to disable images or stylesheets on a
webpage.

If I want Javascript _off_ on a webpage, I think I should be able to do that.
Preferably with a keyboard shortcut or an easily accessible menu option (like
Opera), because I agree with one thing (that the OP implied):

I can't be browsing the web, with Javascript disabled, and expect that
everything _works_.

And recently I've been trying to come to terms with the fact that if I'm
browsing without Javascript, a lot of things will stop working with no
explanation or even an error message. It would be nice, but it's clear one
cannot reasonably expect that.

I want to be able to disable JS _just because_. Yes most websites are well-
behaved and use standard libraries and there is not much reason to disable JS,
nothing you can't fix in a better way (I also agree often other ways would be
"better").

But there are also non-well-behaved websites out there. So I want to be able
to selectively enable and disable all types of content: images, CSS, JS,
plugins, sound, video, you name it. Preferably all these settings would be
saved per site (like Opera).

------
anon1385
>JavaScript is quickly becoming a huge part of modern web applications.

But what if I'm not interested in 'web applications' and I just want to read
web sites? Apparently Firefox isn't designed with that task in mind anymore.

~~~
JustinJ70s
Then don't use 'web applications'.

~~~
wtbob
The problem is that many article sites think that they are web applications.

------
qwerta
Some people also block colors and fonts. I have not seen webpage with white
background for couple of weeks now :-)

~~~
whattttttttt
How do you do that?

~~~
qwerta
Chrome plugin and solarized color scheme, it even has whitelist.

[https://chrome.google.com/webstore/detail/change-
colors/jbmk...](https://chrome.google.com/webstore/detail/change-
colors/jbmkekhehjedonbhoikhhkmlapalklgn)

[http://ethanschoonover.com/solarized](http://ethanschoonover.com/solarized)

~~~
daurnimator
Awesome, thanks :D

------
qwerta
Author argues that blocking by blacklist is better than blocking everything.
But most people use whitelist, Chrome has native support for it.

~~~
Lewisham
> _But most people use whitelist_

[Citation Needed]. I find this incredibly hard to believe.

~~~
qwerta
It should be "most people _who blocks JS_ ". Just have look how blocking in
Chrome and NoScript Firefox extension works.

~~~
warfangle
Why not use just a little bit more advanced of a tool, like Charles, to
blacklist/whitelist not only domains but file extensions as well?

Then that dirty nasty icky javascript that you hate so much will be blocked
from even being requested over the network.

~~~
drdaeman
This is an example of idea that would work in practice but being completely
broken in theory (URLs don't have files nor extensions, although common URL
looks like they do).

Another example is JavaScript itself.

~~~
warfangle
Translation: "Get off my lawn!"

~~~
drdaeman
Yeah, but still... that's just not right. Even though it should mostly work in
practice.

------
navs
> Instead of having a global “disable JavaScript and cookies” flag we should
> instead invest more into things like tightly tuned browser extensions that
> intelligently remove obnoxious JavaScript from specific pages.

Now is there a way to disable modal/lightboxes with advertising offers or
links to social media networks? I find that incredibly annoying.

------
pessimizer
Say "No" to coding what are basically boring static blog and brochure sites as
if they were dynamic real-time webapps. That would make me say "Yes" to
javascript.

------
jfb
It's become clear that the way I want to interact with information, and the
way that the industry is moving are disjoint. I have no interest in the
browser as an application platform; the current state of the web is barely
useful for me. I find applications built on the web stack in every instance
inferior to native ones, but the economics dictates the triumph of the web
page.

Oh well. At least I'll always have Emacs.

------
scragg
I think this is a fine change. When I do family tech support which I'm sure
many of you have done. I always install Firefox or chrome and remove the IE
icon from the desktop, and just say "use this, not IE". At some point they end
up disabling Javascript because they think it's java and they understand Java
is insecure. So now when a page comes up broken, they get frustrated and load
in IE. /facepalm

~~~
betterunix
Blame the web developers who fail to use _noscript_. That tag exists for a
reason.

------
oddshocks
This article made me angry. Author seems to have no understanding of the
issues with mindlessly executing arbitrary, remote code.

------
throw7
Disabling javascript was the first thing I did when using a browser "back
then". Javascript did/does not enhance my experience with the web. period. I
get by nowadays with Noscript.

It's amazing just how bad Web Developers are.

------
nawitus
>Unfortunately there are cases where currently users are assuming that
JavaScript is not necessary but is.

There are? I've never heard of that happening. The author should provide some
kind of empirical evidence on the prevalence of that problem.

>It's a great day for a web developer when we can finally assume that a
browser will have JavaScript running.

You can assume that without removing the option to disable JavaScript. In
addition, technical users (the only one's who are disabling JavaScript) can
still disable JavaScript using add-ons or using other browsers.

------
dllthomas
I just wish the browser would inform the server whether JS was enabled or
disabled. That would make a host of things easier and providing a good
experience more automatic.

------
kijin
Minor quibble: at least in the US English version, the checkbox is actually
labeled "Enable Javascript", not "Disable Javascript".

> _It 's a great day for a web developer when we can finally assume that a
> browser will have JavaScript running._

That's a very good point. Even blind people no longer run their browsers with
JS disabled [1]. As long as the content and navigation make semantic sense, I
don't think there's any reason for a web designer or developer to refrain from
adding frills with JS nowadays, any more than there is reason to refrain from
using CSS. Both are integral parts of the package of specifications we call
HTML5.

If a user even bothers to disable JS, he's intentionally asking you for a
different experience, so give him a different experience! As long as the text
is readable and the navigation links point to the right URLs, there's no need
to try to make the <noscript> experience identical to the normal experience.
No sane developer tries to make the no-CSS experience (e.g. lynx) identical to
the normal experience, right?

My only complaint is with certain websites that make absolutely gratuitous use
of JS, like using AJAX to load the text content of the page. That belongs to
the same category as using tables for the entire layout. You don't go about
disabling <table> tags just because people abuse it in annoying ways.

[1] [http://a11yproject.com/posts/myth-screen-readers-dont-use-
ja...](http://a11yproject.com/posts/myth-screen-readers-dont-use-javascript/)

~~~
kyllo
Speaking of Lynx, I've run across pages that simply tell the user to "Please
use a modern browser that supports Javascript." I expect the experience to be
the different in a text-only browser, but what I don't expect is _not to be
offered an experience at all._

~~~
jayflux
Without coming across rude (I'm genuinely interested). Do people actually
develop/design sites for text-only browsers? I thought that stopped happening
over a decade ago.

~~~
kyllo
Specifically for text-only browsers? Probably not. But there are still people
who enjoy the minimalist experience of a text-only browser, particularly for
the speed, ease of reading, and keyboard control--not having to move the mouse
and click on stuff. Plus they're more accessible to the blind. And they're
often used for browser automation and web crawling / scraping code.

Essentially all you need to do in order to not break the experience for text-
only users, is to have your server generate a sane HTML document in the
absence of JS and CSS. It's generally not that hard, unless your site is a
single-page app where everything is in a client-side Javascript framework. In
that case you would actually need to build two separate sites, and most devs
probably aren't going to bother since text-only users are a low single digit
percentage of internet users as a whole.

------
MostAwesomeDude
"I believe there are two reasons why some people want to disable JavaScript:
the feeling of extra privacy and improving page speeds."

I normally get along with Armin, but I feel that he left out a key thing here:
Some people disable JS because they feel that JS obfuscates and degrades the
Web-browsing experience. Sadly, we are no longer catering to these people:
viewing a website without JS enabled should not render the fundamental content
of the website unavailable, and we have forsaken that ideal in favor of fancy
bells and whistles on our pages.

There's a fourth reason, as well: JS should not be required on grounds of
security, not just privacy. Sites should not have to run what is essentially
unsafe, privileged, arbitrary code in order to do their daily business. A
company might claim that their JS is harmless because it only animates a title
bar or powers a dropdown menu, but proving that requires a manual audit of all
JS on the page, which amounts to thousands of lines of JS on a modern site.
(Have _you_ read through the copy of jQuery being served to you? Probably
not.) Common repositories of JS ameliorate the problem somewhat, but it can't
be eliminated.

This is not okay, by the way. Requiring JS to read a news article, or upload
an image, or view a forum thread, is insane and we should not tolerate it.

~~~
acdha
> JS should not be required on grounds of security, not just privacy. Sites
> should not have to run what is essentially unsafe, privileged, arbitrary
> code

JavaScript is by far the most heavily sandboxed, restricted code in common
use. If you think it's harmful to have JS running on someone's site you need
to learn more about web security.

~~~
betterunix
[https://en.wikipedia.org/wiki/Cross_site_scripting](https://en.wikipedia.org/wiki/Cross_site_scripting)

[https://en.wikipedia.org/wiki/Clickjacking](https://en.wikipedia.org/wiki/Clickjacking)

It is definitely problematic for me to have Javascript running from arbitrary
untrusted sources.

~~~
acdha
If I can inject JavaScript into the page I can also inject HTML with a big
“Win a free iPad click here!” link. JavaScript is the symptom, not the
disease.

