[thelist] Who really turns off JavaScript?

Chris at globet.com Chris at globet.com
Fri Nov 4 09:24:58 CST 2005 

Tom

> How about a good Friday discussion. Our own version of 
> mythbusters. I just blogged an article about the question 
> noted in my subject line:
> 
> http://www.pixelmech.com/notebook/2005/11/who-really-turns-off
> -javascript
> 
> With Ajax gaining popularity and JS being so integral to a 
> lot of what we do in the last couple years, I'd really like 
> to get some takes on the subject. Web myth or otherwise? You 
> tell me...but I say "myth."

In answer to the question in the subject line: I do.

I do this for several reasons, one of which is: I'm curious about the dependency on javascript of some websites that I visit. I'm curious because these websites hold data about me, and on more than one occasion I have found that turning off javascript exposes further serious vulnerabilities.

I also sometimes turn off javascript when I'm using the internet for information gathering, and get sick of websites constantly trying to run scripts from within my browser that do nothing that benefit me whatsoever.

A website that relies so heavily on javascript that it breaks if javascript is turned off is not accessible, therefore exposing its owners to potential financial liability.

In your article you say "I'm no security expert..." but then proceed to make a judgement on security issues. In addition you say "Sure, this is only one report from one web site for one period of time. But it's a good sample." One report from one site for one period of time makes the sample inherently almost without value; at least in statistical terms. I've read your posts on this list for years and am aware that you're certainly no novice, so please don't take this as a personal criticism. I am however a little surprised that you would appear to be arguing against creating websites that do NOT rely upon javascript.

I have personally found that one of the biggest security issues with javascript is that dependency on it masks deeper security vulnerabilities within the application in question. In addition: if I have javascript turned off, I would like the application to handle this state and allow me to make the choice of turning javascript on or exiting the application rather than simply throwing some kind of exception.

I draw your attention to point 10 in the following essay:

<http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx>

All the best!

Regards

Chris Marsh

More information about the thelist mailing list