|
|
Why Required JavaScript is Wrong
I keep JavaScript turned off most of the time because I don't feel that
it adds to my experience, and because I am aware of the security risks
of having it enabled. If a site uses JavaScript but it is optional,
I have no objection. It is the sites which require JavaScript, often
just to enforce a designer's 'look,' which I object to. My idea of
incorporating JavaScript to make people aware of the problems with
JavaScript is a result of many frustrating hours of turning it on
to view sites which had information I needed, and leaving sites which
otherwise seemed interesting, because they violated my principles with
their required JavaScript.
Let me state it again: JavaScript as an idea is not bad.
It can be useful to do things like
client-side parameter checking to reduce bad requests to the server,
or limiting choices based upon previous selections without reloading
pages. But that's all it is good for--adding to the experience. Too
many people mistake it for required functionality, forgetting the browsers
that can't handle JavaScript (such as phones, or many browsers used
by disabled people), and the people like me, who believe that
90% of all JavaScript is just annoying bells and whistles.
I really despise sites which require JavaScript to simply view or
navigate. There are the sites with on-click submits and no submit button
for the form; the ones that display blank pages; and the ones that
order you to enable JavaScript, and, if you do, show nothing that
even needs JavaScript. It's even worse when the sites are ones you
need to use, like the telephone directory
or the train schedule.
Here are some specific complaints I have about required JavaScript:
- JavaScript 'enhancements' are often irritating.
Often, JavaScript 'enhancements' just annoy me. For example, many
airlines use JavaScript to check proposed travel dates. On more than
one website, I've tried to change my outbound date, only to have the
date reset with the error message that my outbound date is after my
return date. Of course it is--I haven't gotten to the return field,
which is always shown after the departure field. The program is trying
to be helpful, but it's irritating. I also enjoy don't windows popping up
if I haven't clicked for them, or automatically submitted forms.
To make matters worse, the JavaScript is often browser-dependent, so
that even if I do enable JavaScript, I can't view the site with
Mozilla.
The argument that most people have JavaScript enabled and enjoy
these enhancements doesn't wash. Of course everyone who visits
a site which requires JavaScript has JavaScript enabled or goes away.
Given enough sites like it, most people will have JavaScript enabled.
But they won't necessarily like it. Many companies are phasing out
pop-up ads after finally recognizing that they simply annoy people.
Read why relying
upon such statistics is a bad idea.
- JavaScript reduces accessibility.
The World Wide Web Consortium (W3C)
has written web content
accessibility guidelines. Guideline 6.3 involves making
content accessible to users without requiring scripting. This
issue is rated priority 1, meaning that a site which does not
follow this guideline is not even minimally accessible. Priority
1 is defined as "A Web content developer
must satisfy this checkpoint. Otherwise, one or more groups will find
it impossible to access information in the document. Satisfying this
checkpoint is a basic requirement for some groups to be able to use
Web documents."
When a private company chooses to ignore accessibility, it is rude. If
an alternative service is available, I will use it, or, oftentimes, I
will simply decide that I don't need whatever the company is offering.
When a government-run service, or a private company which provides
a public service does this, it
should be illegal. It is the same principle as requiring new public
buildings to be made to accommodate wheelchairs.
- JavaScript is a client-side security risk.
A
somewhat outdated list of security flaws with JavaScript is available
at W3C (section 8). It is interesting to note that they advise
turning off JavaScript if you are concerned about security risks.
More up-to-date security information can probably be found through
a search.
- JavaScript can be a server-side security risk.
At first, this may not appear to be an issue for you, the user. If
a site uses JavaScript to validate form data, you may be grateful
that you do not have to contact the site in order to find that there
was an error in the way in which you entered your data. Instead, you
will be prompted to correct it immediately. It is also an advantage
to the site, because it reduces server load by fixing data before it
is sent.
The problem arises when the site relies upon JavaScript to check
the data, or when the JavaScript and server-side checks get out of
sync.
Obviously, it's time-consuming to write both JavaScript validation
routines and then to write the same code for your server-side application,
although there are tools which can assist in this. Sometimes this
extra burden leads to different requirements server-side and client-side.
If the two clash, the problem will be spotted rapidly. But if the server-side
is more permissive than the client-side, a possible exploit has been
introduced. The situation is far worse when the site relies upon
JavaScript to check the data and doesn't employ a server-side check at
all.
Remember that JavaScript is optional. At best, if a site is relying
upon JavaScript validation, someone who has JavaScript off may accidently
introduce incorrect data. Yet the real concern is someone introducing
malicious statements in to fields. If a form field is simply put in
a database without further verification, someone may be able to modify
or delete data by submitting a database command.
Again, this may seem irrelevant to you as the user. But what if the
site in question is your bank, or another institution which might
hold private information about you?
There probably isn't much you can do, aside from supporting legislation
which requires companies to report to clients when security has been
compromised, and also informing companies which appear to rely upon
JavaScript of your concerns.
Further reading:
|