The owner of this site in profile, in black and white with a violet wash. (link to homepage)   Why Required JavaScript is Wrong

I keep JavaScript turned off most of the time because I don't feel that it adds to my experience, and because I am aware of the security risks of having it enabled. If a site uses JavaScript but it is optional, I have no objection. It is the sites which require JavaScript, often just to enforce a designer's 'look,' which I object to. My idea of incorporating JavaScript to make people aware of the problems with JavaScript is a result of many frustrating hours of turning it on to view sites which had information I needed, and leaving sites which otherwise seemed interesting, because they violated my principles with their required JavaScript.

Let me state it again: JavaScript as an idea is not bad. It can be useful to do things like client-side parameter checking to reduce bad requests to the server, or limiting choices based upon previous selections without reloading pages. But that's all it is good for--adding to the experience. Too many people mistake it for required functionality, forgetting the browsers that can't handle JavaScript (such as phones, or many browsers used by disabled people), and the people like me, who believe that 90% of all JavaScript is just annoying bells and whistles.

I really despise sites which require JavaScript to simply view or navigate. There are the sites with on-click submits and no submit button for the form; the ones that display blank pages; and the ones that order you to enable JavaScript, and, if you do, show nothing that even needs JavaScript. It's even worse when the sites are ones you need to use, like the telephone directory or the train schedule.

Here are some specific complaints I have about required JavaScript:

  1. JavaScript 'enhancements' are often irritating.
    Often, JavaScript 'enhancements' just annoy me. For example, many airlines use JavaScript to check proposed travel dates. On more than one website, I've tried to change my outbound date, only to have the date reset with the error message that my outbound date is after my return date. Of course it is--I haven't gotten to the return field, which is always shown after the departure field. The program is trying to be helpful, but it's irritating. I also enjoy don't windows popping up if I haven't clicked for them, or automatically submitted forms.

    To make matters worse, the JavaScript is often browser-dependent, so that even if I do enable JavaScript, I can't view the site with Mozilla.

    The argument that most people have JavaScript enabled and enjoy these enhancements doesn't wash. Of course everyone who visits a site which requires JavaScript has JavaScript enabled or goes away. Given enough sites like it, most people will have JavaScript enabled. But they won't necessarily like it. Many companies are phasing out pop-up ads after finally recognizing that they simply annoy people. Read why relying upon such statistics is a bad idea.

  2. JavaScript reduces accessibility.
    The World Wide Web Consortium (W3C) has written web content accessibility guidelines. Guideline 6.3 involves making content accessible to users without requiring scripting. This issue is rated priority 1, meaning that a site which does not follow this guideline is not even minimally accessible. Priority 1 is defined as "A Web content developer must satisfy this checkpoint. Otherwise, one or more groups will find it impossible to access information in the document. Satisfying this checkpoint is a basic requirement for some groups to be able to use Web documents."

    When a private company chooses to ignore accessibility, it is rude. If an alternative service is available, I will use it, or, oftentimes, I will simply decide that I don't need whatever the company is offering. When a government-run service, or a private company which provides a public service does this, it should be illegal. It is the same principle as requiring new public buildings to be made to accommodate wheelchairs.

  3. JavaScript is a client-side security risk.
    A somewhat outdated list of security flaws with JavaScript is available at W3C (section 8). It is interesting to note that they advise turning off JavaScript if you are concerned about security risks.

    More up-to-date security information can probably be found through a search.

  4. JavaScript can be a server-side security risk.
    At first, this may not appear to be an issue for you, the user. If a site uses JavaScript to validate form data, you may be grateful that you do not have to contact the site in order to find that there was an error in the way in which you entered your data. Instead, you will be prompted to correct it immediately. It is also an advantage to the site, because it reduces server load by fixing data before it is sent.

    The problem arises when the site relies upon JavaScript to check the data, or when the JavaScript and server-side checks get out of sync.

    Obviously, it's time-consuming to write both JavaScript validation routines and then to write the same code for your server-side application, although there are tools which can assist in this. Sometimes this extra burden leads to different requirements server-side and client-side. If the two clash, the problem will be spotted rapidly. But if the server-side is more permissive than the client-side, a possible exploit has been introduced. The situation is far worse when the site relies upon JavaScript to check the data and doesn't employ a server-side check at all.

    Remember that JavaScript is optional. At best, if a site is relying upon JavaScript validation, someone who has JavaScript off may accidently introduce incorrect data. Yet the real concern is someone introducing malicious statements in to fields. If a form field is simply put in a database without further verification, someone may be able to modify or delete data by submitting a database command.

    Again, this may seem irrelevant to you as the user. But what if the site in question is your bank, or another institution which might hold private information about you?

    There probably isn't much you can do, aside from supporting legislation which requires companies to report to clients when security has been compromised, and also informing companies which appear to rely upon JavaScript of your concerns.

Further reading:

Site
  • About site
  • FAQ
  • Homepage
  • Index

Me
  • About me
  • Contact
  • Haunts
  • mAnnual
  • Rants
  • Résumé

Leftovers
  • External links
  • News
  • Settings

Photos
  • Me
  • Morocco
  • Iceland
Copyright, rights reserved, &tc: Ann Barcomb, 2004 - 2015.
This page was last modified
719 days ago.

Quick link: Turn off JavaScript, or modify graphical/accessibility level