Firefox 23 Makes JavaScript Obligatory

mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."

Let's dumb it down for everyone

[h4rr4r]

Why is this a thing?
Why must we dumb down everything?

Re:Let's dumb it down for everyone

[Obfuscant]

Because if you don't, a significant number of "dumb" people will complain loudly that your program "sucks" because it "broke the Internet" on their computer, and slowly the world's view of your software will degrade.

Rightly so, if your web page demands to run arbitrary code on other people's computers. And isn't smart enough to detect (like many sites already can) that the reason why the user isn't getting "an optimal web experience" is because he's turned javascript off, and you can't be arsed to tell him how to turn it back on and why he should.

And then leave the decision in the hands of the user, not the browser writer.

Re:why?

[Joce640k]

Maybe, maybe not ... but there's definitely a lot of privacy and distracting-advertising issues.

Re:why?

[parkinglot777]

I doubt that there is no more security issue with JS (for now and not even talk about in the future). It may be a good time for me to use only Chrome for browsing, and use FF for developing web pages locally (for their easy-to-use Firebug add-on). Wikipedia (https://en.wikipedia.org/wiki/JavaScript) has some vulnerability issues for JS (may or may not be outdated by now).

If true then no reason to use Firefox

[Spy+Handler]

I still use Firefox over Chrome because it has a much better array of options and is more customizable than Chrome. Even though Chrome is faster, has better updates, can save to PDF, comes with popular plugins built in as opposed to having to download them separately, etc etc.

Firefox devs please get a clue. Apple and Google need to reduce options because they have to appeal to the clueless masses. You do not. You cannot go toe to toe with the big guys by trying to be exactly like them.

Re:why?

uh, duh. do bears shit in the woods?

Simple != Dumb

[sjbe]

Why must we dumb down everything?

More like simplifying. Everything should be made as simple as possible but no simpler. Why have a menu option that never gets used? That is pretty much the definition of pointless. I'm pretty geeky and like to tinker with things but a menu option that never ever gets used is wasteful.

I cannot remember the last time I disabled Javascript and I'm pretty confident that somewhere north of 99.9% of users never disable it either. Much of the modern web would be useless without Javascript. So long as there remains a method (extension, etc) to disable it if desired (ala NoScript) I really don't see the big deal.

Re:Simple != Dumb

Just because you don't use that options doesn't nobody else does. And im pretty confident that that 99.9% figure of yours is wrong, i myself and other people have disabled javascript explicitly and as shocking as it may sound, most sites do NOT need javascript to function properly, and most of those who do are not worth it.

Re:Simple != Dumb

[Swarley]

When you try to substitute fortune cookie slogans for reasonable argument only idiots will listen to you.

Re:Solution in extensions

[Hatta]

The folly is in writing pages that cannot be viewed without javascript. If you want to run software, run it on your computer, not mine, because I don't trust your code.

And anyway, there's very little that actually uses javascript for anything useful. Most sites that are unusable without javascript could have easily been coded to be usable. Are drop down menus really so critical? If anything there needs to be more pushback against sites that don't degrade gracefully, not less.

Please enjoy your drive-by infections

Ad networks are compromised all the time. Ads are the primary users of javascript. Coincidence?

Who gives a shit if websites break when java or javascript are turned off. I turn that shit off as much as possible, I use NoScript becuase I despise the fact that no matter how careful I am, no matter how up to date I run my antivirus, my browser, and my JRE, I can STILL get a goddamned drive by infection if I allow javascript to run unchecked.

No, Blowzilla, the problem is NOT with users clicking things they have no idea about, the problem here is JAVASCRIPT. Its just another ActiveX, its just another virus vector. It needs to be eliminated from use entirely. It SHOULD ask permission to run by default. That way websites can at least put in a message "To see video you need to say Yes to this." "To read this article you need to say yes to this." and the ad networks can start working around things by going BACK to gifs and static ads and links instead of crap that blares through my speakers about shit I do not care about (seriously, is everyone coming to Slashdot a big corporate IT manager in charge of buying new server racks? IBM and others seem to think so) while using fast-moving images (hey just like the BLINK tag but with pictures!) to try and distract me from...the CONTENT.

Seriously, this is a retarded move, thank you Mozilla for INCREASING the number of infected machines on the web. I am sure the Russians and other blackhat collectives thank you.

Morons.

Re:I view this as a good thing

[Phreakiture]

I would be with you 100% if I felt that the Internet at large could be trusted. It can not.

Re:why?

[julesh]

Are there still security issues with having JS enabled?

Javascript is used by most malware installation systems. The typical route is that a trustworthy hacked site is modified to include a <script> tag with its source on the malware hosting domain. The resulting script will then use some mechanism to attempt to install malware, either simply dropping an executable download on the visitor and hoping they run it, or attempting to exploit either a browser or a browser plugin bug. Turn off javascript, and the exploit is never downloaded, so can't run.

There are also direct browser attacks that would require javascript to function, e.g. http://www.mozilla.org/security/announce/2013/mfsa2013-53.html or http://www.mozilla.org/security/announce/2013/mfsa2013-46.html (to pick a couple from the last month or two).

So, yes, your system is still less secure if you have JS enabled than if you don't.

Re:Solution in extensions

[girlintraining]

I'm running FF23 beta on my personal system and NoScript is still working as before.

People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.

Web developers should continue to create websites that don't require javascript, and we shouldn't be in such a hurry to move away from that. The promise of the internet was accessibility, the ability to freely share information, and to connect everything together.

This push towards app-ification of the internet, the W3C caving to DRM in HTML5... it's after the very heart and soul of the internet. The internet we built, as hackers, as creatives, as professors, academics, researchers, scientists... it's being gutted. And Firefox, the white horse of the "free" internet, in it's 11th hour of need, chooses this?

They should be ashamed.

Re:why?

[erroneus]

Indeed, the absense of NoScript is a security issue.

Re:why?

[Culture20]

What was stupid about ActiveX was that operating system updates back then required it (unless you wanted to download and install them all by hand), so you couldn't disable it once and for all.

Re:why?

[cdrudge]

Not to nitpick, but those are privacy issues, not security issues. They aren't mutually exclusive of each other, but they aren't the same either.

Re:why?

[khasim]

What exactly was "stupid" about ActiveX aside from potential malicious code (either directly or via overflows) that was either enabled by default or presented to the user with a "just click yes so the website will work" style input box?

Isn't the part about enabling malicious code by default stupid enough?

Firefox "avoided" this by not implementing ActiveX but most or all of the functionality was recreated in Javascript, giving it basically the exact same level of "stupid" with the benefit of having learned from about 10 years of exploits.

It's more of the "globally disabled EXCEPT for a whitelist maintained by the user".

It's the security methodology that is the difference.
Global enable vs global deny.

And Microsoft had the exact same reasoning behind their global enable. It makes it easier for THIRD PARTIES to present their content in the way that they want to the user.

That's almost acceptable when those THIRD PARTIES are trustworthy.

But those THIRD PARTIES could just as easily be crackers. And why make it easier for crackers to run their code on your computer in the way that they want to?

Re:I miss progressive enhancement

[Intrepid+imaginaut]

I miss the days when web developers still gave a shit about progressive enhancement.

I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.

I miss the days when you were only considered a good web web developer if your site was usable with both JS and CSS disabled because you used semantic HTML.

I miss the days when accessibility still mattered.

I miss the days when writing semantic HTML, enhancing it with CSS, and enhancing it further with JS was considered the best practice, rather than starting with just JS and an empty body tag as is so common today.

I miss the days before the now popular false dichotomy of thinking that progressive enhancement is extra work was popular among web developers.

Those days never existed. Seriously, do you remember what things were like back in the 90s? Or the early 00s? It's a bit early for the rose coloured blindfold to drop I think.

Re:why?

[Jane+Q.+Public]

Not to nitpick either, but they're both.

When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.

Re:why?

[Fuzzums]

Some sites have java script that disables context menus (right mouse button) and other things that I don't want. That's why I want to be able to control what my browser does and turn java script off if that gives me a better user experience.

Re:why?

Great idea. Use Chrome - made by the company that freely gives away information to the NSA.

I'm sure there aren't any back-doors or security problems there....

Re:Solution in extensions

[johnlcallaway]

The other folly is web authors expecting people to just let code on some unknown server run on my box. If something requires javascript, the author should have the decency to detect it is disabled and either fail gracefully or send the user to a page saying javascript is required. A large part of javascript out there is simply 'pretty printing' or other 'kool' type of manipulation that isn't necessary at all. I'll gladly give up the automatic mouse over pop-ups, annoying text boxes that travel down screen, and pop-up/roll-over menus for standard HTML. Too many web page authors like to use things just because they are cool instead of things that actually add value. Sure, I like calendars that are clickable. But I don't have to have them, just let me enter the god damn date and accept several different formats instead of being lazy and forcing me to use a calendar because someone is too lazy to actually have to code something.

Sure .. Goggle requires javascript. But I'll be damned if I'll let doubleclick or a host of other servers run their javascript on my box whenever I visit a web page, even if I trust it. If NoScript stops working, I will be searching for alternatives. I browse with NoScript and often run into pages that fail miserable. But I can select the list of servers I trust and reload if I choose to.

Or not use their web site at all.

It's all anecdotal, but it seems that I get far fewer virus infections than many people that just blindly turn it on.

Re:why?

[Jeremiah+Cornelius]

Now this furore is a little silly.

Hey! Word to the wise: about:config I doubt the feature is actually removed...

I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.

Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.

Re:Noscript is useless

[Znork]

Eh, no. Steps 1-2 happen, step 3 is when you note you've suddenly got 48 guys from seedy domains that sound vaguely like STD's slobbering all over over your keyboard and you slowly back away, disabling javascript from the first two again and hope you didn't catch something.

No site requires javascript from 48 other sites to show you something you want to see. That code is there to show someone else something about you, monetize you, violate your privacy, etc, and once you're past half a dozen sites it's far beyond too creepy to be worth it.

Re:Solution in extensions

[drinkypoo]

The folly is in writing pages that cannot be viewed without javascript.

The folly is assuming that the internet is still all "web pages" instead of applications.

The irony is that you're assuming that he's not making a distinction between classic pages of content and applications when he says "pages".

Google's services are the obvious screaming example of useful Javascript.

Google is a perfect example because their primary namesake service works without Javascript. The other services would be a PITA to implement fallback on, you'd basically be implementing them all over again, so there's at least a good excuse for not handling that case. What I think most people are upset about (here I go making assumptions) is pages of content that don't need Javascript which are designed to require Javascript for one reason or another — usually either as a means of forcing advertisements on viewers, or because it's easier than doing the same thing in CSS, even though that is completely possible.

There are plenty of sites and applications that interact with users in similar ways (small individual actions on a much larger interface) where it would be stupid to not use Javascript to keep the data transfer and response times to a minimum.

What's stupid is not using a content management system which can gracefully degrade to HTML. Even Drupal and Wordpress manage to achieve this in most cases. My website has AJAX page loading and all that fancy crap, but it also works perfectly fine if you disable javascript. It just takes more full page loads. These things exist and you don't even need to pay for them if you're cheap, which is a condition with which I can identify. If your whole site depends on quick response to a feature (to use your example, the "like" button on facebook) then you have a clear reason to require Javascript. But contrarily, a newspaper which fails to show me news content when I disable Javascript is demonstrating to me that their function is not to show me news, but to show me advertisements. This is not shocking, but it disinterests me in their content.

TL;DR if your webpage can reasonably degrade to plain HTML+CSS (or even HTML) and it doesn't, then you're just making bullshit excuses; if it reasonably requires Javascript, then users will reasonably enable Javascript.

Re:Google doesn't "freely give" away information.

Google and Yahoo both pushed back hard against the NSA's programs.

Google hardly pushed back at all. Describing what they did as "pushed back hard" is utterly ridiculous.

Re:why?

[Jah-Wren+Ryel]

ActiveX was actually smart in the way that it executed fast native code instead of slow interpreted Javascript.

Yeah, smart like in the way it is smart to give a gun to the guy mugging you with a his bare hands.

Yeah, focus is slipping

[Medievalist]

they're trying all kinds of stupid shit and this "the user is a stupid dolt" move from them is just the latest dick move

Disrespecting the end user is one of the stages of software development team meltdown.

Re:Google doesn't "freely give" away information.

[Dputiger]

Google is the company pressing in court to be able to talk about NSA gag letters. They were doing it, Pre-Snowden. That's not significant?

The bigger point, however, is that Google didn't have a choice. Microsoft didn't have a choice. Yahoo didn't get a choice. And if the NSA/FBI start gunning for Mozilla, Mozilla won't have a choice, either..

Re:why?

[UltraZelda64]

Do you realize just how much of a pain in the ass Firefox has become over the years due to Mozilla's insistence of removing and changing features along with the ability to change them back with the GUI? Instead we have to deal more and more (and more...) with a cryptic Mozilla equivalent to the Windows or GNOME registry. I bet you love the registry if you have no problem with about:config being even more heavily used. It was fine when it was reserved primarily for "special" options... but more and more, it's becoming like GNOME where it has to be used for damn near every fucking thing. All because Mozilla, for whatever reason, feels to go down the Google/GNOME path of dumbing their browser down to hell and back.

Re:why?

[strimpster]

What are you doing in Firebug that you can't do in Chrome's developer tools? IMO Chrome's developer tools provides much better support to developers. There are a lot of features that Chrome's developer tools has that I don't think exist in Firebug, albeit that I haven't used Firebug on a daily basis in a couple of years. As an example, the Timeline/Profiles features for analyzing poor performance.

Sigh. I prefer to block javascript..

[toonces33]

My main beef is that I may have 30-40 tabs open, and find the browser consuming 50% CPU on the laptop - all because of misbehaving javascript that runs and performs useless updates in the background. And firefox doesn't make it easy to figure out which tab is the culprit, so you just have to start killing them at random until the CPU usage goes down. At least until you learn from experience which websites have the offending javascript.

On many web sites I use the javascript is gratuitous. Eye candy and whatnot, or huge scripts to manage useless comment systems that I never use.

And why do I care? It makes the machine sluggish and burns through the laptop battery more quickly, and the laptop runs hot.

But Firefox can do what it wants - I still use noscript and adblockplus to selectively block scripts.

Re:Hasn't this ship sailed?

[interkin3tic]

Just to be clear, it's not that I distrust javascript. It's that I distrust YOU.

Re:Solution in extensions

[X0563511]

People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.

That's because it was a shit model. Clear, yes, simple yes, all that useful for doing stuff, not so much.

You seem to forget that HTML, CSS, etc is for webpages, not applications.

If you don't like what HTML, CSS, etc model and want your stuff to behave like an application... then write a fucking application instead! ... and get the hell off my lawn, too.

Re:why?

[Blue+Stone]

Seriously, for me: No NoScript = No Firefox.

I'll fuck off and use a different browser.

Re: why?

[UltraZelda64]

Ever have a rogue script on some shitty web site take up 100% of one of your cores, with no easy way to figure out what page it is because you've got several tabs open? Hell, good luck finding out if that bad script is even running directly on one of those pages--chances are it's not, it's some third-party completely unneeded junk running on another domain entirely. NoScript has pretty much eliminated this problem.

I have a dual-core 2 GHz processor and, trust me, when you've effectively got only one useful core because the other one is overloaded... you know it. Never mind the fact that it's not good for the hardware to be running a core at full power/heat all the time, not finding out until it's been burning power for an hour, two, three, or who knows how long. Should I really have to worry about some script running without my knowledge when I go to sleep just because I happened to leave Firefox running with a few dozen tabs open?

And why the hell would I get a second computer if I can solve the problems on the one I have?