I personally run JavaScript turned off by default, but I'm still ok with Mozilla's decision. I use NoSxript which provides the right functionality to do this, and anyone can download the add on. Completely disabling JavaScript for all sites breaks a ton of stuff and very, very few users would want to do that, hence no point in having it in the UI.
I also run with JS off by default and use the NoScript addon to control JS whitelists and blacklists. I find it useful to remove all the tracking, analytics and social bits that infest most websites. I get more speed and far more security from drive-by infections.
Surprisingly I have found that quite a few websites look better with no JS, probably due to their fancy fonts being disabled.
I find JS to be a good negative filter for sites that are large (in KB), slow and have annoying/weird UI. Just like Flash.
I wish people would make good HTML/Web Apps instead of trying to (badly) imitate desktop apps. To me, that means being lean and embracing the transactional style (see 3270).
Slow JS might be annoying but it's not particularly concerning , what is troublesome is the communication facilities of JS. I'd allow it by default if it had to request permission to phone home.
Typical worrisome cases are when a malicious script scrapes credential forms or the tracking of mouse cursor movements / page scrolling for advertising analytics.
Essentially, I'll tolerate the web server having logs of my access to the page, but what I do once I've rendered the page should be my own business.
> Typical worrisome cases are when a malicious script scrapes credential forms or the tracking of mouse cursor movements / page scrolling for advertising analytics.
You do realize that the only way JavaScript runs on a page is for the remote site to choose to include it, right? If you don't trust their JavaScript why would you ever put sensitive information in a form and submit it anyway?
If we ignore any JS inserted by an attacker that has MITM abilities, then yes, but consider the innocuous case of someone typing in a form field and then changing their mind about what to say.
If they can MITM you, you're already at risk in so many ways that trying to worry about the vanishingly small percentage of times where someone enters text without submitting it is just wasting time you should be using to setup HTTPS.
Next you'll tell me we shouldn't be able to disable images or stylesheets on a webpage.
If I want Javascript off on a webpage, I think I should be able to do that. Preferably with a keyboard shortcut or an easily accessible menu option (like Opera), because I agree with one thing (that the OP implied):
I can't be browsing the web, with Javascript disabled, and expect that everything works.
And recently I've been trying to come to terms with the fact that if I'm browsing without Javascript, a lot of things will stop working with no explanation or even an error message. It would be nice, but it's clear one cannot reasonably expect that.
I want to be able to disable JS just because. Yes most websites are well-behaved and use standard libraries and there is not much reason to disable JS, nothing you can't fix in a better way (I also agree often other ways would be "better").
But there are also non-well-behaved websites out there. So I want to be able to selectively enable and disable all types of content: images, CSS, JS, plugins, sound, video, you name it. Preferably all these settings would be saved per site (like Opera).
>JavaScript is quickly becoming a huge part of modern web applications.
But what if I'm not interested in 'web applications' and I just want to read web sites? Apparently Firefox isn't designed with that task in mind anymore.
This is an example of idea that would work in practice but being completely broken in theory (URLs don't have files nor extensions, although common URL looks like they do).
I assume Chrome already does this. If JS is not even executed, there is no reason to request files in script tags. I do not hate JS, I just dont care about it, same thing as Java Applets.
> Instead of having a global “disable JavaScript and cookies” flag we should instead invest more into things like tightly tuned browser extensions that intelligently remove obnoxious JavaScript from specific pages.
Now is there a way to disable modal/lightboxes with advertising offers or links to social media networks? I find that incredibly annoying.
I think this is a fine change. When I do family tech support which I'm sure many of you have done. I always install Firefox or chrome and remove the IE icon from the desktop, and just say "use this, not IE". At some point they end up disabling Javascript because they think it's java and they understand Java is insecure. So now when a page comes up broken, they get frustrated and load in IE. /facepalm
It's become clear that the way I want to interact with information, and the way that the industry is moving are disjoint. I have no interest in the browser as an application platform; the current state of the web is barely useful for me. I find applications built on the web stack in every instance inferior to native ones, but the economics dictates the triumph of the web page.
Sorry, but Javascript is a mess and 99% of the things I see it used for have always been possible without it. Why should I open myself up to the myriad privacy and security headaches and various other annoyances that come with Javascript, if you are not using it for something more than submitting forms, loading images, or clickable links?
"Some applications now are written as frontends to APIs and the application does not provide any rendering on the server side besides a nice error message that the website requires JavaScript"
1. Fix it
2. Stop using those APIs if they will not fix it (otherwise things will not be fixed)
"Many modern web applications can be much more performant because they take advantage of JavaScript"
That's nice, but I do not want you offloading your computation onto my computer. I may allow something like Folding@Home, but why should I allow something like rendering advertising?
"User interfaces that depend on JavaScript have much better abilities to make it enjoyable for a user"
User interfaces that work with or without Javascript and only use Javascript as an enhancement give you the best of all worlds. It is not impossible, you are just being lazy and trying to shut out people who disagree with you.
"A good example for instance is payment handling on the internet."
This is kind of like saying, "Every car should have OnStar; a good example is refueling!"
"You don't get extra privacy by disabling JavaScript"
Javascript on its own is sufficient to carry out numerous privacy violations, and presents various security problems. Yes, there are other things you can do, but if I stopped you from using everything else you could still use Javascript to accomplish your aims. Javascript also presents problems for Tor users, who might be de-anonymized (accidentally or deliberately) if they allow Javascript to run.
"At the same time I can enhance your browser experience"
Please do not do this; I do not want you "enhancing" my browsing "experience." All I want is to get the information I asked for, maybe post some comments, and manage my finances. I do not need any of these websites to have fancy UI effects, and while client side validation may be convenient for me it is not something I will miss terribly. My browser already knows what tabs are, how to load images, and how to submit forms. What are you adding that is worth the added risk of Javascript?
"We as developers should be happy that browsers go our way and make our life easier."
Sorry but my browser is supposed to work for me and not for you. If this is your argument for Javascript -- it makes your job easier -- then I see no reason not to keep it disabled by default. If life without Javascript is so terribly hard, the problem is with your techniques, frameworks, and designs -- fix those and leave my browser alone.
Why is this a value judgement? Making an interface work with and without Javascript takes more time - that's a given. Surely it's up to the team working on it to decide if that time is better spent on something else?
"Making an interface work with and without Javascript takes more time"
It should be a one-time cost if your design is not broken somewhere. There is not a lot of functionality that requires Javascript. I understand that having an in-browser spreadsheet automatically update cells as things change is going to be tough without Javascript, but that does not excuse the more basic things people use Javascript for: form submission, hyperlinks, loading text, etc. Your design is flawed, at a fundamental level, if you need to do a large amount of extra work to have this basic functionality work without Javascript.
Really though, in an age of web toolkits and large frameworks for creating pages with all this Javascript, there should not be any need to make such a choice. Whatever you are building your website on should already support a non-Javascript version; the only real issue is when you need to do something that is not already part of that toolkit. Again, I understand that sometimes Javascript really does make a particular feature of a website possible, but I am asserting that the vast majority of Javascript out there has nothing to do with such features.
"Surely it's up to the team working on it to decide if that time is better spent on something else?"
Users have to deal with the consequences of those decisions. If I cannot pay my hospital bill without enabling Javascript, then I have to enable Javascript -- regardless of my reasons for disabling it (and if for some reason I cannot enable Javascript at all, I cannot pay my hospital bill). Whitelists are not really a great solution; any NoScript user has surely had to play the "enable Javascript here, here, here, and here" game, trying to guess which scripts are important for a website to function and which are malicious advertiser scripts.
It's not a one-time. It's a continual maintenance headache. JavaScript allows for much nicer user interfaces than anything HTML can provide. As for gracefully degradation, I don't have time to support people without JavaScript. The best I can do is prevent those people from ever logging in by requiring javascript on the login form and rendering the support links client side.
Exactly. It is a business decision that each team makes. They need to decide if it is worth the extra man-hours and resources to appease a very small group of people who make a choice to turn off a big part of the web today. The best you can do is throw up a noscript message explaining why your app needs JavaScript.
"The best you can do is throw up a noscript message explaining why your app needs JavaScript."
Unfortunately, this is almost always a message explaining that your website demands Javascript, without an explanation as to why. I have yet to see the noscript message that says, "We only had time to create one version of the website, and we are too busy doing other things to create a non-Javascript version." I am not even sure what sort of technical reason could be given for requiring Javascript for form submissions or hyperlink functionality...
Nobody is disagreeing with you that sites that don't really need js shouldn't use js, but that's not what this is about. The browser is very fast becoming THE application platform for one single reason: accessibility. There is nothing you can do about it, you are fighting a losing battle. It doesn't matter that Javascript is a mess, or that there are security and privacy issues, that doesn't trumps accessibility. And people will want an experience that is more native like. The move to mobile has especially pushed this forward. Surfing the "old" web on mobile sucks more than that accessibility gets you most of the time. But make the web application more native-like, i.e. no round-trips, optimized for touch, responsive UI, offline caching, localstorage etc (which you CAN do even today, but will be better in the future), then the browser wins.
In conclusion, the browser is not simply a vehicle for displaying HTML content with links and simple forms anymore, it's an application platform, just get over it.
JS isn't there to replace hypermedia. It's there to give you a better user experience by augmenting what plain hypermedia can do. You can argue that many authors are doing a bad job of it, but that's a different discussion. Baby, bathwater, etc.
To take a trivial example: If HN didn't use js, an upvote would mean a server roundtrip and a payload of 50k or more for popular discussions. So mobile users get shafted. Crappy hotel wifi users get shafted. You are forced to update all discussion threads, even one you might be in the middle of, just to upvote. Basically, your experience is made worse.
And this is about the simplest use of JS I can think of. For other sites there are great opportunities to make your user experience better.
Now back in reality: my 1GB RAM netbook can afford about 15 pages, much less my 400MB smartphone. Such incredible hardware spoiled by feature misuse.
Web fonts, animations, components and tracking can go to hell. If people disable a feature there is a reason. If there are not many of them and they are highly educated, other just don't know how to remove all that crap.
And you got a full page reload for your troubles. That was the point. Had you enabled js, you'd get the better user experience, by not having to do that roundtrip. You might not care if you're at your desktop on a fat pipe, but performance and user experience matters. Speed matters.
Disabling javascript was the first thing I did when using a browser "back then". Javascript did/does not enhance my experience with the web. period. I get by nowadays with Noscript.
>Unfortunately there are cases where currently users are assuming that JavaScript is not necessary but is.
There are? I've never heard of that happening. The author should provide some kind of empirical evidence on the prevalence of that problem.
>It's a great day for a web developer when we can finally assume that a browser will have JavaScript running.
You can assume that without removing the option to disable JavaScript. In addition, technical users (the only one's who are disabling JavaScript) can still disable JavaScript using add-ons or using other browsers.
That is probably the wrong way to think about it. Its like saying "Well, we shouldnt be using motor cars because thats puts Horse carriages out of business". Or something to that effect.
We are moving towards a world where js is ubiquitous. Its everywhere..already. If web-crawlers dont support js completely ( looking at you google! ) then we should force them to (by creating more js based apps thats outside the crawlability of google ). If screen readers dont read js ( they should and thats why we have ARIA ), they will eventually. At the end of the day, as long as you are trying to adapt to them ( which is backward ) they will never move. Start moving swiftly and they will have to adapt to you.
In short, you imply the world's gone nuts and wants Turing-complete languages to be a strict requirement just to be able to display formatted text (with embedded multimedia objects).
Sorry, I'm just not comfortable giving anyone with a web server the permission to execute arbitrary code on my computer. I've had enough runaway 100% JS processes (hi, google code!) to make that obvious, not to mention the other benefits of blocking JS.
I just wish the browser would inform the server whether JS was enabled or disabled. That would make a host of things easier and providing a good experience more automatic.
Say "No" to coding what are basically boring static blog and brochure sites as if they were dynamic real-time webapps. That would make me say "Yes" to javascript.
Minor quibble: at least in the US English version, the checkbox is actually labeled "Enable Javascript", not "Disable Javascript".
> It's a great day for a web developer when we can finally assume that a browser will have JavaScript running.
That's a very good point. Even blind people no longer run their browsers with JS disabled [1]. As long as the content and navigation make semantic sense, I don't think there's any reason for a web designer or developer to refrain from adding frills with JS nowadays, any more than there is reason to refrain from using CSS. Both are integral parts of the package of specifications we call HTML5.
If a user even bothers to disable JS, he's intentionally asking you for a different experience, so give him a different experience! As long as the text is readable and the navigation links point to the right URLs, there's no need to try to make the <noscript> experience identical to the normal experience. No sane developer tries to make the no-CSS experience (e.g. lynx) identical to the normal experience, right?
My only complaint is with certain websites that make absolutely gratuitous use of JS, like using AJAX to load the text content of the page. That belongs to the same category as using tables for the entire layout. You don't go about disabling <table> tags just because people abuse it in annoying ways.
Speaking of Lynx, I've run across pages that simply tell the user to "Please use a modern browser that supports Javascript." I expect the experience to be the different in a text-only browser, but what I don't expect is not to be offered an experience at all.
Without coming across rude (I'm genuinely interested). Do people actually develop/design sites for text-only browsers?
I thought that stopped happening over a decade ago.
Specifically for text-only browsers? Probably not. But there are still people who enjoy the minimalist experience of a text-only browser, particularly for the speed, ease of reading, and keyboard control--not having to move the mouse and click on stuff. Plus they're more accessible to the blind. And they're often used for browser automation and web crawling / scraping code.
Essentially all you need to do in order to not break the experience for text-only users, is to have your server generate a sane HTML document in the absence of JS and CSS. It's generally not that hard, unless your site is a single-page app where everything is in a client-side Javascript framework. In that case you would actually need to build two separate sites, and most devs probably aren't going to bother since text-only users are a low single digit percentage of internet users as a whole.
"I believe there are two reasons why some people want to disable JavaScript: the feeling of extra privacy and improving page speeds."
I normally get along with Armin, but I feel that he left out a key thing here: Some people disable JS because they feel that JS obfuscates and degrades the Web-browsing experience. Sadly, we are no longer catering to these people: viewing a website without JS enabled should not render the fundamental content of the website unavailable, and we have forsaken that ideal in favor of fancy bells and whistles on our pages.
There's a fourth reason, as well: JS should not be required on grounds of security, not just privacy. Sites should not have to run what is essentially unsafe, privileged, arbitrary code in order to do their daily business. A company might claim that their JS is harmless because it only animates a title bar or powers a dropdown menu, but proving that requires a manual audit of all JS on the page, which amounts to thousands of lines of JS on a modern site. (Have you read through the copy of jQuery being served to you? Probably not.) Common repositories of JS ameliorate the problem somewhat, but it can't be eliminated.
This is not okay, by the way. Requiring JS to read a news article, or upload an image, or view a forum thread, is insane and we should not tolerate it.
> JS should not be required on grounds of security, not just privacy. Sites should not have to run what is essentially unsafe, privileged, arbitrary code
JavaScript is by far the most heavily sandboxed, restricted code in common use. If you think it's harmful to have JS running on someone's site you need to learn more about web security.
If I can inject JavaScript into the page I can also inject HTML with a big “Win a free iPad click here!” link. JavaScript is the symptom, not the disease.
