[thelist] Who really turns off JavaScript?
Tom Dell'Aringa
pixelmech at yahoo.com
Fri Nov 4 09:39:50 CST 2005
--- Chris at globet.com wrote:
Great points Chris..let me respond...
> I do this for several reasons <snip>
I hear you - although I would put that in the category of "developers doing stuff that normal
people don't." I'm not saying I disregard the fact that you do it, though. And you don't do it all
the time, you're doing it for a specific purpose (a purpose which makes sense too.) Again, I think
most people in general terms are not even sure how to turn it off.
> A website that relies so heavily on javascript that it breaks if javascript is turned off is not
> accessible, therefore exposing its owners to potential financial liability.
Oh, I certainly agree with the above statement. I don't want to give the impression that I think
it's okay to go nuts because you think all, or a majority, of users have it turned off.
> In your article you say "I'm no security expert..." but then proceed to make a judgement on
> security issues.
Hmm..true! Which is why I qualified myself as a non-expert first. It's partly why I'm trying to
get more information on the issue. I guess I'm trying to figure out what is the real security
issue - is it really JS or is it something else?
> In addition you say "Sure, this is only one report from one web site for one
> period of time. But it's a good sample." One report from one site for one period of time makes
> the sample inherently almost without value; at least in statistical terms.
Right, I didn't word that very well. It's not really ONE sample, it's really MILLIONS of samples.
Every person that visited was a sample. Now granted, it is ONE website - so point taken. Each site
has a particular audience.
> I've read your posts
> on this list for years and am aware that you're certainly no novice, so please don't take this
> as a personal criticism. I am however a little surprised that you would appear to be arguing
> against creating websites that do NOT rely upon javascript.
But I am not arguing that point (and I never say that either). I'm really more curious about the
number of people that actually do turn it off and here's the key - *how far* do we really need to
go in providing alternatives. Case in point - DHTML menu systems. You better have some kind of
alternative for that (personally, I don't like them and avoid them at all costs if I can). It
depends on the usage. Some Ajax functionality is really great but it's an enhancement - take
Google Suggest. You could still run your search, but you wouldn't get the suggestions.
> I have personally found that one of the biggest security issues with javascript is that
> dependency on it masks deeper security vulnerabilities within the application in question.
Good point - which I guess shows why any organization should have a comprehensive security
strategy in place.
> I draw your attention to point 10 in the following essay:
> <http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx>
Good stuff. Thanks for weighing in Chris!
Just a note to everyone - I am NOT advocating that we use JS without thinking it through. But JS
has become an integral part of the web experience more than ever - so these things interest me
(espeically since I love JS). And as someone pointed out on another list - turning off JS is a
voluntary action - they are choosing to do so and that choice does come with consequences.
Certainly it depends on what site you are on and if you are disabled or not - that choice might be
"forced" on you if you are disabled - and that is the type of thing I'd like to know more about.
Tom
http://www.pixelmech.com/
A man spoke frantically into the phone: "My wife is pregnant and her contractions are only two minutes apart"! "Is this her first child?" the doctor asked. "No, you idiot!" the man shouted. "This is her husband!"
Q: What do you call a muddy chicken who crossed the road two times?
A: A dirty double crosser...
More information about the thelist
mailing list