Slashdot Mirror
Firefox 23 Makes JavaScript Obligatory
mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."
Maybe, maybe not ... but there's definitely a lot of privacy and distracting-advertising issues.
No sig today...
Why must we dumb down everything?
More like simplifying. Everything should be made as simple as possible but no simpler. Why have a menu option that never gets used? That is pretty much the definition of pointless. I'm pretty geeky and like to tinker with things but a menu option that never ever gets used is wasteful.
I cannot remember the last time I disabled Javascript and I'm pretty confident that somewhere north of 99.9% of users never disable it either. Much of the modern web would be useless without Javascript. So long as there remains a method (extension, etc) to disable it if desired (ala NoScript) I really don't see the big deal.
Are there still security issues with having JS enabled?
Javascript is used by most malware installation systems. The typical route is that a trustworthy hacked site is modified to include a <script> tag with its source on the malware hosting domain. The resulting script will then use some mechanism to attempt to install malware, either simply dropping an executable download on the visitor and hoping they run it, or attempting to exploit either a browser or a browser plugin bug. Turn off javascript, and the exploit is never downloaded, so can't run.
There are also direct browser attacks that would require javascript to function, e.g. http://www.mozilla.org/security/announce/2013/mfsa2013-53.html or http://www.mozilla.org/security/announce/2013/mfsa2013-46.html (to pick a couple from the last month or two).
So, yes, your system is still less secure if you have JS enabled than if you don't.
I'm running FF23 beta on my personal system and NoScript is still working as before.
People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.
Web developers should continue to create websites that don't require javascript, and we shouldn't be in such a hurry to move away from that. The promise of the internet was accessibility, the ability to freely share information, and to connect everything together.
This push towards app-ification of the internet, the W3C caving to DRM in HTML5... it's after the very heart and soul of the internet. The internet we built, as hackers, as creatives, as professors, academics, researchers, scientists... it's being gutted. And Firefox, the white horse of the "free" internet, in it's 11th hour of need, chooses this?
They should be ashamed.
#fuckbeta #iamslashdot #dicemustdie
Isn't the part about enabling malicious code by default stupid enough?
It's more of the "globally disabled EXCEPT for a whitelist maintained by the user".
It's the security methodology that is the difference.
Global enable vs global deny.
And Microsoft had the exact same reasoning behind their global enable. It makes it easier for THIRD PARTIES to present their content in the way that they want to the user.
That's almost acceptable when those THIRD PARTIES are trustworthy.
But those THIRD PARTIES could just as easily be crackers. And why make it easier for crackers to run their code on your computer in the way that they want to?
Not to nitpick either, but they're both.
When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.
Some sites have java script that disables context menus (right mouse button) and other things that I don't want. That's why I want to be able to control what my browser does and turn java script off if that gives me a better user experience.
Privacy is terrorism.
The other folly is web authors expecting people to just let code on some unknown server run on my box. If something requires javascript, the author should have the decency to detect it is disabled and either fail gracefully or send the user to a page saying javascript is required. A large part of javascript out there is simply 'pretty printing' or other 'kool' type of manipulation that isn't necessary at all. I'll gladly give up the automatic mouse over pop-ups, annoying text boxes that travel down screen, and pop-up/roll-over menus for standard HTML. Too many web page authors like to use things just because they are cool instead of things that actually add value. Sure, I like calendars that are clickable. But I don't have to have them, just let me enter the god damn date and accept several different formats instead of being lazy and forcing me to use a calendar because someone is too lazy to actually have to code something.
.. Goggle requires javascript. But I'll be damned if I'll let doubleclick or a host of other servers run their javascript on my box whenever I visit a web page, even if I trust it. If NoScript stops working, I will be searching for alternatives. I browse with NoScript and often run into pages that fail miserable. But I can select the list of servers I trust and reload if I choose to.
Sure
Or not use their web site at all.
It's all anecdotal, but it seems that I get far fewer virus infections than many people that just blindly turn it on.
I rarely read replies, it's my opinion and if you thought about your opinion a little more, I'm OK with that.
Now this furore is a little silly.
Hey! Word to the wise: about:config I doubt the feature is actually removed...
I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.
Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.
"Flyin' in just a sweet place,
Never been known to fail..."
The folly is in writing pages that cannot be viewed without javascript.
The folly is assuming that the internet is still all "web pages" instead of applications.
The irony is that you're assuming that he's not making a distinction between classic pages of content and applications when he says "pages".
Google's services are the obvious screaming example of useful Javascript.
Google is a perfect example because their primary namesake service works without Javascript. The other services would be a PITA to implement fallback on, you'd basically be implementing them all over again, so there's at least a good excuse for not handling that case. What I think most people are upset about (here I go making assumptions) is pages of content that don't need Javascript which are designed to require Javascript for one reason or another — usually either as a means of forcing advertisements on viewers, or because it's easier than doing the same thing in CSS, even though that is completely possible.
There are plenty of sites and applications that interact with users in similar ways (small individual actions on a much larger interface) where it would be stupid to not use Javascript to keep the data transfer and response times to a minimum.
What's stupid is not using a content management system which can gracefully degrade to HTML. Even Drupal and Wordpress manage to achieve this in most cases. My website has AJAX page loading and all that fancy crap, but it also works perfectly fine if you disable javascript. It just takes more full page loads. These things exist and you don't even need to pay for them if you're cheap, which is a condition with which I can identify. If your whole site depends on quick response to a feature (to use your example, the "like" button on facebook) then you have a clear reason to require Javascript. But contrarily, a newspaper which fails to show me news content when I disable Javascript is demonstrating to me that their function is not to show me news, but to show me advertisements. This is not shocking, but it disinterests me in their content.
TL;DR if your webpage can reasonably degrade to plain HTML+CSS (or even HTML) and it doesn't, then you're just making bullshit excuses; if it reasonably requires Javascript, then users will reasonably enable Javascript.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
ActiveX was actually smart in the way that it executed fast native code instead of slow interpreted Javascript.
Yeah, smart like in the way it is smart to give a gun to the guy mugging you with a his bare hands.
When information is power, privacy is freedom.
Disrespecting the end user is one of the stages of software development team meltdown.
Do you realize just how much of a pain in the ass Firefox has become over the years due to Mozilla's insistence of removing and changing features along with the ability to change them back with the GUI? Instead we have to deal more and more (and more...) with a cryptic Mozilla equivalent to the Windows or GNOME registry. I bet you love the registry if you have no problem with about:config being even more heavily used. It was fine when it was reserved primarily for "special" options... but more and more, it's becoming like GNOME where it has to be used for damn near every fucking thing. All because Mozilla, for whatever reason, feels to go down the Google/GNOME path of dumbing their browser down to hell and back.
People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.
That's because it was a shit model. Clear, yes, simple yes, all that useful for doing stuff, not so much.
You seem to forget that HTML, CSS, etc is for webpages, not applications.
If you don't like what HTML, CSS, etc model and want your stuff to behave like an application... then write a fucking application instead! ... and get the hell off my lawn, too.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Seriously, for me: No NoScript = No Firefox.
I'll fuck off and use a different browser.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Ever have a rogue script on some shitty web site take up 100% of one of your cores, with no easy way to figure out what page it is because you've got several tabs open? Hell, good luck finding out if that bad script is even running directly on one of those pages--chances are it's not, it's some third-party completely unneeded junk running on another domain entirely. NoScript has pretty much eliminated this problem.
I have a dual-core 2 GHz processor and, trust me, when you've effectively got only one useful core because the other one is overloaded... you know it. Never mind the fact that it's not good for the hardware to be running a core at full power/heat all the time, not finding out until it's been burning power for an hour, two, three, or who knows how long. Should I really have to worry about some script running without my knowledge when I go to sleep just because I happened to leave Firefox running with a few dozen tabs open?
And why the hell would I get a second computer if I can solve the problems on the one I have?