Hacker Newsnew | comments | show | ask | jobs | submit login

"Do you want to disable JavaScript?" is a stupid question, as you say. "Do you want your browser to tell Google, Facebook, Twitter, Omniture, DoubleClick, and six other companies you have never heard of, that you visited this site?" is not a dumb question. Given that option, 98% of users would say "hell no."

You are absolutely right that configurability is a sign of laziness, the opposite of hard work. But removing configurability is _not_ the sign of hard work. Hard work means addressing the interests of all parties, and Mozilla did not do that.

Why do those 2% of users disable JavaScript? It's in reaction to how JavaScript is used: it enables popups, enables distracting advertisements, lets all sorts of companies track me, makes sites load more slowly, etc. For this 2%, these uses are so odious as to outweigh the beneficial uses of JavaScript. So the hard work would be finding a way to distinguish between the user-friendly and user-hostile uses of JavaScript, and just disable the user-hostile ones, so that the interests of both classes of users would be satisfied.

This would not be new: Firefox's popup blocker is enabled by default, which demonstrates that JavaScript is already disabled for a particular use case, because it proved to be annoying to users. Why not take that a step further? If Mozilla wants to force JavaScript on, they should also address the reasons why that 2% of users go out of their way to disable it today. If those 2% say "I used to disable JavaScript, but now I don't have to" then Mozilla will have done their job.




"Do you want to disable JavaScript?" is a stupid question, as you say. "Do you want your browser to tell Google, Facebook, Twitter, Omniture, DoubleClick, and six other companies you have never heard of, that you visited this site?" is not a dumb question. Given that option, 98% of users would say "hell no."

Assuming you're correct (which I'm not convinced you are), when you then continue, "I have a checkbox that will make it so they don't track you, but it will also break those sites. Is that ok?" They will also respond "hello no".

Firefox's popup blocker is enabled by default, which demonstrates that JavaScript is already disabled for a particular use case, because it proved to be annoying to users. Why not take that a step further?

Right, because you can easily say that a non-user-triggered window.open() is almost always unwanted. I can't think of any other cases where it's so clear-cut and related to JS, or that disabling a particular facet of JS always would be a net win.

If you're going to claim that there's something like that, provide examples. How do you know people at Mozilla haven't already thought hard about this problem and decided there isn't much more they can do? I bet they have.

-----


> "Do you want to disable JavaScript?" is a stupid question, as you say. "Do you want your browser to tell Google, Facebook, Twitter, Omniture, DoubleClick, and six other companies you have never heard of, that you visited this site?" is not a dumb question. Given that option, 98% of users would say "hell no." -> This overstates the case, because you'd still presumably load the 1x1 tracking png with ?resid=<X>&uid=<Y>.

> "I have a checkbox that will make it so they don't track you, but it will also break those sites. Is that ok?" They will also respond "hello no".

This overstates the case most of the time because doing this generally breaks relatively little for those domains listed, and to the extent it doesn't, making that decision on a domain-by-domain basis seems to work pretty well (ask any Noscript user)

-----


Sending browsing statistics to something like Google is already happening regardless of if you have Javascript enabled. When you are on Google search and you click on a link it's tracked that you went to that link.

But besides that and besides that your usage statistics are being logged on the server itself regardless of what you do. Expecting Mozilla or any company to figure out how to block a javascript put request sent to Facebook, but not other put requests which are there by design of the site will only result in Facebook finding a workaround.

It's unfortunate that some people use Javascript in ways that slow down their site. For example with horrendous 'sharing' widgets. You can use plugins to disable those items from loading but it wouldn't be Mozilla's place to decide that on everyone's behalf.

These days Javascript is as much a part of websites as the HTML itself.

-----


> When you are on Google search and you click on a link it's tracked that you went to that link.

Google also tracks the links I click when I am on CNN, ABC News, Fox News, MSN, LinkedIn, and the majority of sites I visit (with the important exceptions of Wikipedia and BBC News - thanks guys!). Advertisers track me when I am not even on their properties! That is what is objectionable, and what is defeated by disabling JavaScript.

> Expecting Mozilla or any company to figure out how to block a javascript put request sent to Facebook, but not other put requests which are there by design of the site will only result in Facebook finding a workaround.

Perhaps, but Mozilla should do it anyways.

Remember the ruckus over IE 10 enabling Do Not Track by default? Advertisers and ad brokers were “very concerned”[1] by even the whiff of a browser maker acting in the interest of users over advertisers. Do Not Track is only tolerable if it is off by default, wholly unenforceable, and just as buried as the “Enable JavaScript” option.

Make no mistake: advertisers believe that they have a right to know what links you click and sites you visit across the whole web, and even a right to enlist your browser to aid in informing them. And Mozilla is complicit!

(And why not? Recall who pays Mozilla’s bills.)

> These days Javascript is as much a part of websites as the HTML itself.

Yes, which means that those few who disable JavaScript pay a significant price for that decision. Nobody disables JavaScript because they hate the language. They do it to escape user-hostile JavaScript programs.

[1] http://www.businesswire.com/news/home/20120531006914/en/Digi...

-----


Disabling Javascript for privacy reasons is like blowing off your leg to prevent tennis elbow: it's overkill, and it's rather ineffective at best.

-----


It's ineffective in the sense that it doesn't stop all of the evil. It IS effective in the sense that running no javascript really limits the amount of information people can learn about your system. Like, why should a website be able to learn about the size of my screen, the complete enumeration of all of my plugins and fonts, etc?

As far as blowing off your leg, sometimes you just really hate tennis elbow, you know?

-----


Is that sarcasm? You should know, that doesn't really work here unless explicitly noted as such. See Poe's law.

-----


If you arrived faster at a citation of Poe's Law than actually reading and considering the things I said, you are doing Internet wrong.

-----


I did read them, and I did consider them. After thinking up a reply as why you think basic client display capability querying mechanisms are inappropriate, I decided you were most likely being sarcastic.

On (multiple) repeated readings, I'm not really sure you were intending to make a point one way or the other. If I attribute the second sentence of It IS effective in the sense that running no javascript really limits the amount of information people can learn about your system. Like, why should a website be able to learn about the size of my screen, the complete enumeration of all of my plugins and fonts, etc? to your voice, then it seems you are. If that's to be taken as the user's voice as rationale as to why JS doesn't need to be enabled, then it's fairly neutral.

At this point, with your reply taken into consideration, I'm confused. Feel free to elaborate.

> If ... you are doing Internet wrong

Well, my first sentence was actually asking you, since I wasn't sure.

-----


Correct. I'm being completely serious, with the exception of the remark about exploding limbs (obviously).

Broad enumeration capabilities of this sort don't make sense. You don't need me to tell you why, because the moment you considered these features not existing, you immediately thought up alternatives that didn't involve running javascript, some of which require changes in the way people think about building web-pages, some of which may require changes in various specifications.

JS has more features than it deserves for learning about and (critically) sharing information about the host platform. Yes, you can still learn some things as a website operator by watching what browsers load/don't load, and what they put in their requests.

That does not mean that disabling javascript doesn't have value w/r to privacy concerns. Compare panopticlick.eff.org w/, w/o javascript enabled.

Edit: I should hasten to add that there are other concerns beyond privacy, like accessibility and the fact that a web page has no bloody business deciding that I'm likely running an iPad and therefor I shouldn't have access to X or Y. This is dumb, and contrary to the idea of the open internet. It's the same thing that's wrong with this EME nonsense.

-----


Ah, I took your position as being able to determine screen size (or have it determined automatically through CSS or some other hands-off mechanism) itself was also unneeded, not just that JS should not have this capability.

I can get behind most of what you say - as long as we are talking about simple, presentation based websites.

Where I think there's a breakdown in this view is when you consider complex web applications, including games. At that point, I believe some level of inspection capabilities are required, if we desire to have complex web apps delivered through the internet. I'm by no means sold that on-demand web delivered code is necessarily a good thing though. There's far too large a surface area to adequately secure while still making it useful, IMHO.

-----


Ghostery is a much better option for blocking trackers without breaking websites. If you're really paranoid, RequestPolicy lets you specify a whitelist of OK domains, and disable everything else. Both of those still allow javascript and do a 8better* job protecting your privacy, from tracking pixels etc.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: