Slashdot Mirror
Firefox 23 Makes JavaScript Obligatory
mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."
Are there still security issues with having JS enabled?
Koalas. They're telepathic. Plus, they control the weather. -Margaret
As long as it doesn't break Noscript, I'm ok with this. It really IS folly to try to use the modern web without any javascript at all, but with Noscript I can still pick and choose which sites are allowed to run it in my browser.
End of lesson. You may press the button.
Why is this a thing?
Why must we dumb down everything?
They just removed the easy way to turn it off to prevent simple mistakes. You can still turn it off behind about:config or with extensions for those that need it.
(atleast in nightly) Its just hidden, you can still enable/disable javascript in the about:config menu and addons like noscript still work.
Why must we dumb down everything?
More like simplifying. Everything should be made as simple as possible but no simpler. Why have a menu option that never gets used? That is pretty much the definition of pointless. I'm pretty geeky and like to tinker with things but a menu option that never ever gets used is wasteful.
I cannot remember the last time I disabled Javascript and I'm pretty confident that somewhere north of 99.9% of users never disable it either. Much of the modern web would be useless without Javascript. So long as there remains a method (extension, etc) to disable it if desired (ala NoScript) I really don't see the big deal.
Well wait, what do you mean by "web site"? If you just mean a page that you visit on the net to primarily read text (possibly with images) then I agree with you. If you are talking about a webapp (which also qualifies under the term "web site"), then you are wrong. Google Docs, amongst so many others, simply couldn't operate without JavaScript enabled
What do you know I wrote a novel
Ad networks are compromised all the time. Ads are the primary users of javascript. Coincidence?
Who gives a shit if websites break when java or javascript are turned off. I turn that shit off as much as possible, I use NoScript becuase I despise the fact that no matter how careful I am, no matter how up to date I run my antivirus, my browser, and my JRE, I can STILL get a goddamned drive by infection if I allow javascript to run unchecked.
No, Blowzilla, the problem is NOT with users clicking things they have no idea about, the problem here is JAVASCRIPT. Its just another ActiveX, its just another virus vector. It needs to be eliminated from use entirely. It SHOULD ask permission to run by default. That way websites can at least put in a message "To see video you need to say Yes to this." "To read this article you need to say yes to this." and the ad networks can start working around things by going BACK to gifs and static ads and links instead of crap that blares through my speakers about shit I do not care about (seriously, is everyone coming to Slashdot a big corporate IT manager in charge of buying new server racks? IBM and others seem to think so) while using fast-moving images (hey just like the BLINK tag but with pictures!) to try and distract me from...the CONTENT.
Seriously, this is a retarded move, thank you Mozilla for INCREASING the number of infected machines on the web. I am sure the Russians and other blackhat collectives thank you.
Morons.
Personally, what *I've* always wanted is a way to turn JS on and off that's more easily accessible. I often want it off, to try to get more consistent behavior (whizzy JS crap is often completely non-standard and confusing), but every now and then I need to flip it on to see if the apparent breakage is because some lazy programmer didn't feel like thinking about how things degrade.
But Mozilla seems determined to alienate users like myself, so this current bonehead move is hardly a surprise.
And yes, many "modern" web sites these days seem to require javascript-- thanks to google who made it ultra-cool and groovy.
This is how viewing the web with noscript works out in the real world: .... ... finally the web page loads properly ... now repeat all 49 steps for every web site that you go to
1) webpage does display properly
-> make exception to allow scripts on this site
2) webpage still does display properly, because it needs scripts from a second domain
-> make exception to allow scripts on the second domain
3) webpage still does display properly, because the scripts from the second domain load scripts from a third domain
-> make exception to allow scripts from the third domain
49)
I would be with you 100% if I felt that the Internet at large could be trusted. It can not.
www.wavefront-av.com
I'm a web developer and have taken JS & CSS for common for years and years now. Spent about 6y working at a small local web design shop and it just wasn't feasible to double contract amounts to make sites work without JS.
That said, there's no reason to require JS if it can be done without. Lots of page book-keeping, like menus, active page indicators, etc, can be done with CSS. Some stuff, like Amazon's polygonal focus on subnav can degrade nicely. Fantastic. But I'm not going to build an Ajax-y interface AND a static HTML interface (for free) to coddle people with nothing more than a distrust of JavaScript.
Implicit Evaluation with PHP
Glenn Gould used to take a lot of flack for refusing to shake people's hands even though we all know that you can't go through life refusing to shake hands. Perhaps he had a good reason?
Even if you're less of a sociopathic hypochondriac than Glenn Gould, there's still an issue concerning how automatically one reaches out. I'm a little more hesitant to offer my mitt to a vagrant person who's just popped out a discrete alleyway with flecks of an old newspaper stuck to their shoe. Colour me paranoid. And yet the default on the web is to arrive on every web page in full embrace, even the typosquatters with old newspaper stuck to their shoes.
On my FF I have things pretty locked down. If on first impression I haven't teleported into the worst bathroom in all of Scotland, I'm pretty quick to enable first party cookies. Tracking cookies from the social media paparazzi, not so quickly.
When I get a site coded to misbehave at the first whiff of the end user exercising prudence or discretion, I switch the URL into Chrome where I have practically nothing locked down and visit nowhere important and where the social media paparazzi will observe my click trail as an infrequent user engaged who exclusively visits the wrong side of town, but never never pulls his hands out of his pockets to engage the temptations.
What's in your wallet?
I miss the days when web developers still gave a shit about progressive enhancement.
I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.
I miss the days when you were only considered a good web web developer if your site was usable with both JS and CSS disabled because you used semantic HTML.
I miss the days when accessibility still mattered.
I miss the days when writing semantic HTML, enhancing it with CSS, and enhancing it further with JS was considered the best practice, rather than starting with just JS and an empty body tag as is so common today.
I miss the days before the now popular false dichotomy of thinking that progressive enhancement is extra work was popular among web developers.
I love that the web can do more now and compete with native apps better. But I hate that web developers are so quick to unnecessarily abandon progressive enhancement in the process when that's what made the web great to begin with.
You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
Stop posting this "user's" aka Dice's stories on Slashdot! His entire history of posts all link to the user's own i-programmer.info site in order to generate traffic and ad impressions. Enough is enough already!
They just removed the UI - this doesn't affect things like Firebug, Noscript, and they *probably* didn't even remove the UI completely - if you can call about:config a UI.
I use NoScript to browse with JS disabled and only turn it on for sites I trust/want to get something done with.
If this change breaks NoScript, I'l switch to Chrome.
The Digital Sorceress
I've got no problem with your browser choice -- if you want to use Mozilla over Chrome, or IE over Firefox, hey, that's your call. But don't misrepresent the situation.
Google and Yahoo both pushed back hard against the NSA's programs. Yahoo went to court over it. You know what the court said? "Obey."
So what could Google do? You can't run an advertising business without having some information on your users. You can't run an email service without having access to the accounts. Yes, I suppose Google could have theoretically attempted to create a business in which everyone it served were direct customers of encryption services it provided (while explicitly saying that it couldn't decrypt traffic). Maybe that works for a startup, but you can't exactly transition a multi-billion dollar corporation to a direct customer model to avoid the NSA -- especially when you are legally prohibited from acknowledging that the NSA even spoke to you.
More than one of the companies that participate in Prism were forced to do so.
Disrespecting the end user is one of the stages of software development team meltdown.
Nevermind JS. Did they fix the cache problems already?
Anyone writing a javascript application should know to add a <noscript> tag to the page embedding the scripts.
<noscript><p>This page is built using Javascript, but it seems that you have Javascript disabled on your browser. Please enable Javascript and refresh this page to continue.</p></noscript>
I think that's a much more robust approach. The user understands what's going on, and you don't have to rely on every browser preventing Javascript from being disabled.
My main beef is that I may have 30-40 tabs open, and find the browser consuming 50% CPU on the laptop - all because of misbehaving javascript that runs and performs useless updates in the background. And firefox doesn't make it easy to figure out which tab is the culprit, so you just have to start killing them at random until the CPU usage goes down. At least until you learn from experience which websites have the offending javascript.
On many web sites I use the javascript is gratuitous. Eye candy and whatnot, or huge scripts to manage useless comment systems that I never use.
And why do I care? It makes the machine sluggish and burns through the laptop battery more quickly, and the laptop runs hot.
But Firefox can do what it wants - I still use noscript and adblockplus to selectively block scripts.
There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.
In what ways is NoScript more advanced than ScriptSafe?
Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works ;)
There's a browser safer than Firefox, it is Firefox, with NoScript
Didn't you know?
------ The best brain training is now totally free : )
"Yes, but those programmers are morons. Why legitimize their bizarre take on things? Most of the web works great without javascript, so disabling javascript is usually a safe thing for users to do."
The worst that can happen from disabling javascript is that incompetently coded sites will fail.
On the other hand *enabling* javascript opens you up to lovely drive-by infections, as well as many other, more subtle, dangers.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
"An add-on to block 3rd party Javascript would be a nice alternative NoScript which requires a lot of whitelisting to be useful. Almost all advertising related Javascript is from off-site."
Noscript does this. "Temporarily allow top level sites by default" right up at the top of the general tab in noscript options. If you go to www.foo.com scripts originating from foo.com are parsed, scripts referenced from third party server adsurge.bar.com are simply ignored. It's a thing of beauty.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Unless your site is trustworthy and useful, you DO NOT GET TO RUN JAVASCRIPT.
What's the best practice for a site to demonstrate to users that it is trustworthy?
WTF. Seriously, WTF.
Hide the option under about:config if you have to clean up the config UI.
Have you taken on board somebody from Microsoft in recent times who is determined to alienate and destroy your userbase? This isn't the first asshat decision you've made by a long shot in the past 5 years.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.