Firefox 23 Makes JavaScript Obligatory

mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."

why?

[bdabautcb]

Are there still security issues with having JS enabled?

Re:why?

[Joce640k]

Maybe, maybe not ... but there's definitely a lot of privacy and distracting-advertising issues.

Re:why?

[parkinglot777]

I doubt that there is no more security issue with JS (for now and not even talk about in the future). It may be a good time for me to use only Chrome for browsing, and use FF for developing web pages locally (for their easy-to-use Firebug add-on). Wikipedia (https://en.wikipedia.org/wiki/JavaScript) has some vulnerability issues for JS (may or may not be outdated by now).

Re:why?

[khasim]

Are there still security issues with having JS enabled?

One of the main reasons I switched to Firefox in the beginning was because they seemed to understand that NOT doing something stupid was preferable to layers and layers of patches for the stupidity.

IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.

Firefox avoided the entire security issue by allowing functionality to be disabled. While you cannot be 100% certain that XYZ feature had no security issues (or even that there were security issues) you knew that disabling it rendered the question moot.

If your site requires JavaScript or Flash or whatever then I can temporarily enable them just for your site if you can convince me that the risk is worth your content.

Re:why?

Yes.

Javascript is supposed to be sandboxed in all modern browsers, but that doesn't make it perfect. All the serious vulnerabilities I've seen over the past few years exploited the sandbox, and therefore required javascript to work.

Also there is private information WITHIN the browser. Being inside the sandbox, that information is thus provided to websites.

For example:

Browser fingerprinting, using your installed fonts, screen resolution, etc. http://panopticlick.eff.org/

Mouse pointer tracking with javascript: http://jsbin.com/ufupol/98

Capturing information entered into forms and then deleted before submitting: various analytics tools

Here's a random analytics provider I found on Google (There were plenty of others):

We capture every mouse move, click, scroll and keystroke, by using a tiny piece of JavaScript copied into your website. The whole process is completely transparent to the end user, and has no noticeable effect on your site performance.

http://www.clicktale.com/products/mouse-tracking-suite/visitor-recordings

Re:why?

[julesh]

Are there still security issues with having JS enabled?

Javascript is used by most malware installation systems. The typical route is that a trustworthy hacked site is modified to include a <script> tag with its source on the malware hosting domain. The resulting script will then use some mechanism to attempt to install malware, either simply dropping an executable download on the visitor and hoping they run it, or attempting to exploit either a browser or a browser plugin bug. Turn off javascript, and the exploit is never downloaded, so can't run.

There are also direct browser attacks that would require javascript to function, e.g. http://www.mozilla.org/security/announce/2013/mfsa2013-53.html or http://www.mozilla.org/security/announce/2013/mfsa2013-46.html (to pick a couple from the last month or two).

So, yes, your system is still less secure if you have JS enabled than if you don't.

Re:why?

[Culture20]

Are there still security issues with having JS enabled?

Even if Javascript is 100% secure, running in an airtight jail, it's still using up resources on my computer. Sometimes if you leave a JS page open overnight, it will be pegging one of your CPU cores in the morning.

Re:why?

[erroneus]

Indeed, the absense of NoScript is a security issue.

Re:why?

[Culture20]

What was stupid about ActiveX was that operating system updates back then required it (unless you wanted to download and install them all by hand), so you couldn't disable it once and for all.

Re:why?

[khasim]

What exactly was "stupid" about ActiveX aside from potential malicious code (either directly or via overflows) that was either enabled by default or presented to the user with a "just click yes so the website will work" style input box?

Isn't the part about enabling malicious code by default stupid enough?

Firefox "avoided" this by not implementing ActiveX but most or all of the functionality was recreated in Javascript, giving it basically the exact same level of "stupid" with the benefit of having learned from about 10 years of exploits.

It's more of the "globally disabled EXCEPT for a whitelist maintained by the user".

It's the security methodology that is the difference.
Global enable vs global deny.

And Microsoft had the exact same reasoning behind their global enable. It makes it easier for THIRD PARTIES to present their content in the way that they want to the user.

That's almost acceptable when those THIRD PARTIES are trustworthy.

But those THIRD PARTIES could just as easily be crackers. And why make it easier for crackers to run their code on your computer in the way that they want to?

Re:why?

[Jane+Q.+Public]

Not to nitpick either, but they're both.

When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.

Re:why?

[jedidiah]

Except I don't have to avoid Javascript entirely.

I can do it selectively.

I can decide who to let into my circle of trust.

Given what kind of random crap seems to be on modern websites these days. That's a very good idea. It's not paranoia when people really out to get you. Trying to deny the danger is the position that's really out of touch with reality.

YOU are the one that's a danger to self and others, not me.

Juvenile insults won't change that.

Re:why?

[Fuzzums]

Some sites have java script that disables context menus (right mouse button) and other things that I don't want. That's why I want to be able to control what my browser does and turn java script off if that gives me a better user experience.

Re:why?

[Jeremiah+Cornelius]

Now this furore is a little silly.

Hey! Word to the wise: about:config I doubt the feature is actually removed...

I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.

Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.

Re:why?

[ArhcAngel]

Now this furore is a little silly.

Hey! Word to the wise: about:config I doubt the feature is actually removed...

I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.

Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.

Not according to my button plugin of choice's author. He indicates it is a change in the API that will make his plugin inoperable.

Re:why?

[Jah-Wren+Ryel]

ActiveX was actually smart in the way that it executed fast native code instead of slow interpreted Javascript.

Yeah, smart like in the way it is smart to give a gun to the guy mugging you with a his bare hands.

Re:why?

[UltraZelda64]

Not to mention it has the nice side effect of saving CPU cycles and preventing web pages from going unresponsive. I tend to enable JavaScript (since disabling it breaks too many sites) but I don't allow it to do anything outside of the web page with the browser itself (manipulate windows or context menus). Of course, none of this really matters, because I've been running NoScript for a few years now and the only sites that are ever allowed to run scripts are the ones I specifically allow to do so.

Re:why?

[UltraZelda64]

Do you realize just how much of a pain in the ass Firefox has become over the years due to Mozilla's insistence of removing and changing features along with the ability to change them back with the GUI? Instead we have to deal more and more (and more...) with a cryptic Mozilla equivalent to the Windows or GNOME registry. I bet you love the registry if you have no problem with about:config being even more heavily used. It was fine when it was reserved primarily for "special" options... but more and more, it's becoming like GNOME where it has to be used for damn near every fucking thing. All because Mozilla, for whatever reason, feels to go down the Google/GNOME path of dumbing their browser down to hell and back.

Re:why?

[strimpster]

What are you doing in Firebug that you can't do in Chrome's developer tools? IMO Chrome's developer tools provides much better support to developers. There are a lot of features that Chrome's developer tools has that I don't think exist in Firebug, albeit that I haven't used Firebug on a daily basis in a couple of years. As an example, the Timeline/Profiles features for analyzing poor performance.

Re:why?

[BitZtream]

IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.

Mozilla Gecko (the framework Firefox is built on) makes extensive use of XPCOM, which is functionally equivalent of ActiveX in every way, except that it works outside of Windows.

Some Firefox plugins are ... XPCOM objects.

XPCOM has been at the core of the Firefox design as long as I've seen the source (I was embedding gecko into apps in my former life, at least 7 years).

You have absolutely no idea what so ever what ActiveX is, nor do you have any idea what the actual problem with IE was that resulted in so many ActiveX related exploits.

ActiveX is a self describing plugin system which allows an application to load and potentially use a plugin without any prior knowledge, EXACTLY like XPCOM in Firefox. Again, they are 100% functionally the same.

Internet Explorer had retarded defaults (allow any unsigned activex to install without asking) to begin with, then those were 'fixed', and then the install without prompting exploits started, so malicious sites would install activex controls without your consent ... and then ... we also have to deal with all activex controls which were installed with improper ActiveX safety flags.

The safety flags were 2 flags set aside to allow an ActiveX control to say 'hey, I'm safe to use in Internet Explorer' and 'I'm safe to allow any random website to use me in IE!'. The morons in the Excel team (as one example) would, out of ignorance, flag all of their controls for Excel as safe for IE/safe for scripting ... so IE thought it was perfectly acceptable to load a control that will read and write random files on the drive. Every time a Windows Update patch for 'ActiveX killbits' comes out ... this is what they are talking about, changing the OS to ignore controls flagged as safe when they are known not to be.

Mozilla has no such support for flagging controls as safe for browser/safe for scripting. It tries to pretend it is an uncrossable barrier, but that is in fact no way the case.

So any time an 'ActiveX' issue comes up, you should be aware that it wasn't an ActiveX problem, it was an Internet Explorer implementation of ActiveX, and other developers bad code that was exploitable.

You really can't 'exploit' ActiveX any more than you can 'exploit' DLL or SO. You can exploit bad implementations of the loader.

Imagine if Firefox allowed web page scripting to automatically install Firefox plugins. Would you blame XPCOM then? Thats what you do when you blame ActiveX.

Finally, it makes you look fucking stupid when you blame ActiveX. All you do is make it clear that you don't actually know what the problem was, let alone understand what it was. You just sound like an ignorant drama queen.

Re:why?

[davydagger]

freely???

the NSA more or less demanded google hand it over. Google has done more than most companies to fight NSA seizure of their data.

more than microsoft, who after aquiring skype centralized the protocol, and put a back door in it.

Re:why?

[Nutria]

Flashblock (and to a lesser degree, AdBlockPlus) is excellent for reducing CPU usage.

Re:why?

[jeffmeden]

Not to nitpick either, but they're both.

When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.

Yes, JS is scary, but that bit of marketingspeak is a bit over the top: they can't see *every* click/keystroke/etc; just the ones that involve interacting with their site content. And, if you have to worry about them watching you use their site, you hopefully will leave before giving them any important information anyway.

Re:why?

[rnturn]

``It's much like food labeling or processes running on your PC.

If you don't recognize it, chances are that it's to be avoided.''

I've adopted that attitude when grocery shopping. I figure that if I feel a need to consult my old BioChem text to figure out just what that ingredient is, I shouldn't be eating it.

Re:why?

[MoFoQ]

crap....so noscript also?

Re:why?

[Nutria]

I uninstalled NoScript years ago because of weird failures even with whitelisting. Essentially, I had to whitelist so much that NoScript became pointless.

Re:why?

[PatentMagus]

I object to your use of the racially inflammatory word "cracker."

Re:why?

[Giorgio+Maone]

Are there still security issues with having JS enabled?

Fresh from the summary of the upcoming BlackHat talk by Jeremiah Grossman, A Million Browser Botnet:

With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. [...] no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way.

Re:why?

[chihowa]

I tend to enable JavaScript (since disabling it breaks too many sites) but I don't allow it to do anything outside of the web page with the browser itself (manipulate windows or context menus)

You don't do anything, that's by design.

Firefox 22, by default, allows JavaScript to do those things.

Re:why?

[mcgrew]

No. This is completely unacceptable. FireFox is my browser of choice, and I don't block JS, but there's no reason whatever I should have to go to a third party if I decide to.

What's next, I'll have to DL the HTML and strip the JS out of the source and run it locally?

Unless Mozilla changes these terrible plans, I'll have to use a different browser. There's no reason whatever to remove this feature.

My answer isn't no, it's HELL NO and fuck you, Mozilla. If you want me to continue using your products you'll grow a brain and think of your users, not your Google sugardaddy.

Re:why?

[Darinbob]

I get used to temporarily whitelisting things. It's really interesting to see just how much of the web is utterly dependent upon javascript for things that could be done without it. If you enable it all though, you're back to ubiquitous advertisements, tracking and privacy issues, and noticeable drops in performance. I don't need to see every site on the web anyway, so if I have to go and enable things to get it to work then half the item I'll just leave the site and never return; there has to be enough html there to give me the idea that enabling javascript is worth it. It's like TV, just because it's available doesn't mean you have to watch it.

Re:why?

[Blue+Stone]

Seriously, for me: No NoScript = No Firefox.

I'll fuck off and use a different browser.

Re:why?

[Bing+Tsher+E]

The fork already happened, ages ago. Seamonkey is the Mozilla fork that happened when the Firefox devs decided to go crazy and start stripping out useful stuff. Download Seamonkey and use it. It's very up to date because it's based on the same code from Mozilla as Firefox. Also, it has the Composer and Email and other integrated stuff intact.

And NoScript runs on it.

Re: why?

[UltraZelda64]

Ever have a rogue script on some shitty web site take up 100% of one of your cores, with no easy way to figure out what page it is because you've got several tabs open? Hell, good luck finding out if that bad script is even running directly on one of those pages--chances are it's not, it's some third-party completely unneeded junk running on another domain entirely. NoScript has pretty much eliminated this problem.

I have a dual-core 2 GHz processor and, trust me, when you've effectively got only one useful core because the other one is overloaded... you know it. Never mind the fact that it's not good for the hardware to be running a core at full power/heat all the time, not finding out until it's been burning power for an hour, two, three, or who knows how long. Should I really have to worry about some script running without my knowledge when I go to sleep just because I happened to leave Firefox running with a few dozen tabs open?

And why the hell would I get a second computer if I can solve the problems on the one I have?

Re:why?

[Edam]

Not according to my button plugin of choice's author. He indicates it is a change in the API that will make his plugin inoperable.

According to the author's bug report, it's just an API change that he will need to update the extension to use. I don't see anything about the facility to turn off javascript being removed.

Re:why?

[oji-sama]

They're talking about removing that functionality.

Where? I read pretty much everything related to this.

Some clarifications:
- This preference is still available in about:config.
- There are add-ons such as NoScript or SettingSanity that will do what you want with more easily accessible UI.

Note that the capability to enable/disable JavaScript easily will return in Firefox 24’s developer tools.

Solution in extensions

[Verteiron]

As long as it doesn't break Noscript, I'm ok with this. It really IS folly to try to use the modern web without any javascript at all, but with Noscript I can still pick and choose which sites are allowed to run it in my browser.

Re:Solution in extensions

[h4rr4r]

How well do screen readers deal with javascript?

I am almost certain it is poorly, as we add more shiny and BS we reduce usability for a lot of folks. Well we actually reduce usability for everyone, but for some people usability goes to zero.

Re:Solution in extensions

[djl4570]

I'm running FF23 beta on my personal system and NoScript is still working as before.

Re:Solution in extensions

[dicobalt]

If it breaks NoScript I'm going to get a shiny new pitchfork and then visit the people who decided to do this.

Re:Solution in extensions

[Hatta]

The folly is in writing pages that cannot be viewed without javascript. If you want to run software, run it on your computer, not mine, because I don't trust your code.

And anyway, there's very little that actually uses javascript for anything useful. Most sites that are unusable without javascript could have easily been coded to be usable. Are drop down menus really so critical? If anything there needs to be more pushback against sites that don't degrade gracefully, not less.

Re:Solution in extensions

[girlintraining]

I'm running FF23 beta on my personal system and NoScript is still working as before.

People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.

Web developers should continue to create websites that don't require javascript, and we shouldn't be in such a hurry to move away from that. The promise of the internet was accessibility, the ability to freely share information, and to connect everything together.

This push towards app-ification of the internet, the W3C caving to DRM in HTML5... it's after the very heart and soul of the internet. The internet we built, as hackers, as creatives, as professors, academics, researchers, scientists... it's being gutted. And Firefox, the white horse of the "free" internet, in it's 11th hour of need, chooses this?

They should be ashamed.

Re:Solution in extensions

[amicusNYCL]

The folly is in writing pages that cannot be viewed without javascript.

The folly is assuming that the internet is still all "web pages" instead of applications. There are plenty of useful web applications around, and I develop one of them. There isn't a non-Javascript alternative to it, it has around 1.5MB of (unminified) Javascript code written by us (plus about the same for third-party frameworks) and relies on maybe a total of 4 actual HTML pages (index, a dedicated non-JS login form, and 2 content launchers), which usually do nothing except load various Javascript interfaces. This is a software-as-a-service platform, we develop and host the software and other companies and organizations pay us to set up an installation for them to use (and us to maintain).

If you want to run software, run it on your computer, not mine

You're the one using the interface, you execute it. I'm happy to execute all of the actual logic for the application on the server, but your browser is more than capable of rendering the interface. Even IE6 could handle this thing (slowly).

And anyway, there's very little that actually uses javascript for anything useful.

I hear that sentiment periodically. It's complete bullshit. Google's services are the obvious screaming example of useful Javascript. Hell, Google's push for faster Javascript in Chrome, which bled over to the other browsers after they got left in the dust by V8, is the reason why browsers are so fast with Javascript today. A prime example of Javascript making a site more usable is Facebook, regardless of your personal opinion of social networks in general or Facebook's corporate policies. Imagine if every time someone clicked the Like button, the entire page reloaded. That's obviously not usable. There are plenty of sites and applications that interact with users in similar ways (small individual actions on a much larger interface) where it would be stupid to not use Javascript to keep the data transfer and response times to a minimum.

Re:Solution in extensions

[johnlcallaway]

The other folly is web authors expecting people to just let code on some unknown server run on my box. If something requires javascript, the author should have the decency to detect it is disabled and either fail gracefully or send the user to a page saying javascript is required. A large part of javascript out there is simply 'pretty printing' or other 'kool' type of manipulation that isn't necessary at all. I'll gladly give up the automatic mouse over pop-ups, annoying text boxes that travel down screen, and pop-up/roll-over menus for standard HTML. Too many web page authors like to use things just because they are cool instead of things that actually add value. Sure, I like calendars that are clickable. But I don't have to have them, just let me enter the god damn date and accept several different formats instead of being lazy and forcing me to use a calendar because someone is too lazy to actually have to code something.

Sure .. Goggle requires javascript. But I'll be damned if I'll let doubleclick or a host of other servers run their javascript on my box whenever I visit a web page, even if I trust it. If NoScript stops working, I will be searching for alternatives. I browse with NoScript and often run into pages that fail miserable. But I can select the list of servers I trust and reload if I choose to.

Or not use their web site at all.

It's all anecdotal, but it seems that I get far fewer virus infections than many people that just blindly turn it on.

Re:Solution in extensions

[drinkypoo]

The folly is in writing pages that cannot be viewed without javascript.

The folly is assuming that the internet is still all "web pages" instead of applications.

The irony is that you're assuming that he's not making a distinction between classic pages of content and applications when he says "pages".

Google's services are the obvious screaming example of useful Javascript.

Google is a perfect example because their primary namesake service works without Javascript. The other services would be a PITA to implement fallback on, you'd basically be implementing them all over again, so there's at least a good excuse for not handling that case. What I think most people are upset about (here I go making assumptions) is pages of content that don't need Javascript which are designed to require Javascript for one reason or another — usually either as a means of forcing advertisements on viewers, or because it's easier than doing the same thing in CSS, even though that is completely possible.

There are plenty of sites and applications that interact with users in similar ways (small individual actions on a much larger interface) where it would be stupid to not use Javascript to keep the data transfer and response times to a minimum.

What's stupid is not using a content management system which can gracefully degrade to HTML. Even Drupal and Wordpress manage to achieve this in most cases. My website has AJAX page loading and all that fancy crap, but it also works perfectly fine if you disable javascript. It just takes more full page loads. These things exist and you don't even need to pay for them if you're cheap, which is a condition with which I can identify. If your whole site depends on quick response to a feature (to use your example, the "like" button on facebook) then you have a clear reason to require Javascript. But contrarily, a newspaper which fails to show me news content when I disable Javascript is demonstrating to me that their function is not to show me news, but to show me advertisements. This is not shocking, but it disinterests me in their content.

TL;DR if your webpage can reasonably degrade to plain HTML+CSS (or even HTML) and it doesn't, then you're just making bullshit excuses; if it reasonably requires Javascript, then users will reasonably enable Javascript.

Re:Solution in extensions

[Myopic]

protip: rusty ones are scarier

Re:Solution in extensions

[X0563511]

People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.

That's because it was a shit model. Clear, yes, simple yes, all that useful for doing stuff, not so much.

You seem to forget that HTML, CSS, etc is for webpages, not applications.

If you don't like what HTML, CSS, etc model and want your stuff to behave like an application... then write a fucking application instead! ... and get the hell off my lawn, too.

Re:Solution in extensions

[X0563511]

Just sharpen the tip of the tines so they shine. You thought rusty was scary, but rusty but recently sharpened? That gives you a whole extra level to work with.

Let's dumb it down for everyone

[h4rr4r]

Why is this a thing?
Why must we dumb down everything?

Re:Let's dumb it down for everyone

[Obfuscant]

Because if you don't, a significant number of "dumb" people will complain loudly that your program "sucks" because it "broke the Internet" on their computer, and slowly the world's view of your software will degrade.

Rightly so, if your web page demands to run arbitrary code on other people's computers. And isn't smart enough to detect (like many sites already can) that the reason why the user isn't getting "an optimal web experience" is because he's turned javascript off, and you can't be arsed to tell him how to turn it back on and why he should.

And then leave the decision in the hands of the user, not the browser writer.

Javascript can still be disabled

They just removed the easy way to turn it off to prevent simple mistakes. You can still turn it off behind about:config or with extensions for those that need it.

The option is not removed.

(atleast in nightly) Its just hidden, you can still enable/disable javascript in the about:config menu and addons like noscript still work.

Simple != Dumb

[sjbe]

Why must we dumb down everything?

More like simplifying. Everything should be made as simple as possible but no simpler. Why have a menu option that never gets used? That is pretty much the definition of pointless. I'm pretty geeky and like to tinker with things but a menu option that never ever gets used is wasteful.

I cannot remember the last time I disabled Javascript and I'm pretty confident that somewhere north of 99.9% of users never disable it either. Much of the modern web would be useless without Javascript. So long as there remains a method (extension, etc) to disable it if desired (ala NoScript) I really don't see the big deal.

Re:Simple != Dumb

Just because you don't use that options doesn't nobody else does. And im pretty confident that that 99.9% figure of yours is wrong, i myself and other people have disabled javascript explicitly and as shocking as it may sound, most sites do NOT need javascript to function properly, and most of those who do are not worth it.

Re:Simple != Dumb

[Swarley]

When you try to substitute fortune cookie slogans for reasonable argument only idiots will listen to you.

Please enjoy your drive-by infections

Ad networks are compromised all the time. Ads are the primary users of javascript. Coincidence?

Who gives a shit if websites break when java or javascript are turned off. I turn that shit off as much as possible, I use NoScript becuase I despise the fact that no matter how careful I am, no matter how up to date I run my antivirus, my browser, and my JRE, I can STILL get a goddamned drive by infection if I allow javascript to run unchecked.

No, Blowzilla, the problem is NOT with users clicking things they have no idea about, the problem here is JAVASCRIPT. Its just another ActiveX, its just another virus vector. It needs to be eliminated from use entirely. It SHOULD ask permission to run by default. That way websites can at least put in a message "To see video you need to say Yes to this." "To read this article you need to say yes to this." and the ad networks can start working around things by going BACK to gifs and static ads and links instead of crap that blares through my speakers about shit I do not care about (seriously, is everyone coming to Slashdot a big corporate IT manager in charge of buying new server racks? IBM and others seem to think so) while using fast-moving images (hey just like the BLINK tag but with pictures!) to try and distract me from...the CONTENT.

Seriously, this is a retarded move, thank you Mozilla for INCREASING the number of infected machines on the web. I am sure the Russians and other blackhat collectives thank you.

Morons.

Really, they should make it easier to do

[doom]

Personally, what *I've* always wanted is a way to turn JS on and off that's more easily accessible. I often want it off, to try to get more consistent behavior (whizzy JS crap is often completely non-standard and confusing), but every now and then I need to flip it on to see if the apparent breakage is because some lazy programmer didn't feel like thinking about how things degrade.

But Mozilla seems determined to alienate users like myself, so this current bonehead move is hardly a surprise.

And yes, many "modern" web sites these days seem to require javascript-- thanks to google who made it ultra-cool and groovy.

Re:I view this as a good thing

[Phreakiture]

I would be with you 100% if I felt that the Internet at large could be trusted. It can not.

Hasn't this ship sailed?

[Alternate+Interior]

I'm a web developer and have taken JS & CSS for common for years and years now. Spent about 6y working at a small local web design shop and it just wasn't feasible to double contract amounts to make sites work without JS.

That said, there's no reason to require JS if it can be done without. Lots of page book-keeping, like menus, active page indicators, etc, can be done with CSS. Some stuff, like Amazon's polygonal focus on subnav can degrade nicely. Fantastic. But I'm not going to build an Ajax-y interface AND a static HTML interface (for free) to coddle people with nothing more than a distrust of JavaScript.

Re:Hasn't this ship sailed?

[interkin3tic]

Just to be clear, it's not that I distrust javascript. It's that I distrust YOU.

I miss progressive enhancement

[Kethinov]

I miss the days when web developers still gave a shit about progressive enhancement.

I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.

I miss the days when you were only considered a good web web developer if your site was usable with both JS and CSS disabled because you used semantic HTML.

I miss the days when accessibility still mattered.

I miss the days when writing semantic HTML, enhancing it with CSS, and enhancing it further with JS was considered the best practice, rather than starting with just JS and an empty body tag as is so common today.

I miss the days before the now popular false dichotomy of thinking that progressive enhancement is extra work was popular among web developers.

I love that the web can do more now and compete with native apps better. But I hate that web developers are so quick to unnecessarily abandon progressive enhancement in the process when that's what made the web great to begin with.

Re:I miss progressive enhancement

[Intrepid+imaginaut]

I miss the days when web developers still gave a shit about progressive enhancement.

I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.

I miss the days when you were only considered a good web web developer if your site was usable with both JS and CSS disabled because you used semantic HTML.

I miss the days when accessibility still mattered.

I miss the days when writing semantic HTML, enhancing it with CSS, and enhancing it further with JS was considered the best practice, rather than starting with just JS and an empty body tag as is so common today.

I miss the days before the now popular false dichotomy of thinking that progressive enhancement is extra work was popular among web developers.

Those days never existed. Seriously, do you remember what things were like back in the 90s? Or the early 00s? It's a bit early for the rose coloured blindfold to drop I think.

Stop Feeding the Troll!

[b1ng0]

Stop posting this "user's" aka Dice's stories on Slashdot! His entire history of posts all link to the user's own i-programmer.info site in order to generate traffic and ad impressions. Enough is enough already!

Re:Noscript is useless

[Znork]

Eh, no. Steps 1-2 happen, step 3 is when you note you've suddenly got 48 guys from seedy domains that sound vaguely like STD's slobbering all over over your keyboard and you slowly back away, disabling javascript from the first two again and hope you didn't catch something.

No site requires javascript from 48 other sites to show you something you want to see. That code is there to show someone else something about you, monetize you, violate your privacy, etc, and once you're past half a dozen sites it's far beyond too creepy to be worth it.

Google doesn't "freely give" away information.

[Dputiger]

I've got no problem with your browser choice -- if you want to use Mozilla over Chrome, or IE over Firefox, hey, that's your call. But don't misrepresent the situation.

Google and Yahoo both pushed back hard against the NSA's programs. Yahoo went to court over it. You know what the court said? "Obey."

So what could Google do? You can't run an advertising business without having some information on your users. You can't run an email service without having access to the accounts. Yes, I suppose Google could have theoretically attempted to create a business in which everyone it served were direct customers of encryption services it provided (while explicitly saying that it couldn't decrypt traffic). Maybe that works for a startup, but you can't exactly transition a multi-billion dollar corporation to a direct customer model to avoid the NSA -- especially when you are legally prohibited from acknowledging that the NSA even spoke to you.

More than one of the companies that participate in Prism were forced to do so.

Re:Google doesn't "freely give" away information.

[Dputiger]

Google is the company pressing in court to be able to talk about NSA gag letters. They were doing it, Pre-Snowden. That's not significant?

The bigger point, however, is that Google didn't have a choice. Microsoft didn't have a choice. Yahoo didn't get a choice. And if the NSA/FBI start gunning for Mozilla, Mozilla won't have a choice, either..

Yeah, focus is slipping

[Medievalist]

they're trying all kinds of stupid shit and this "the user is a stupid dolt" move from them is just the latest dick move

Disrespecting the end user is one of the stages of software development team meltdown.

noscript

[Barefoot+Monkey]

Anyone writing a javascript application should know to add a <noscript> tag to the page embedding the scripts.

<noscript><p>This page is built using Javascript, but it seems that you have Javascript disabled on your browser. Please enable Javascript and refresh this page to continue.</p></noscript>

I think that's a much more robust approach. The user understands what's going on, and you don't have to rely on every browser preventing Javascript from being disabled.

Sigh. I prefer to block javascript..

[toonces33]

My main beef is that I may have 30-40 tabs open, and find the browser consuming 50% CPU on the laptop - all because of misbehaving javascript that runs and performs useless updates in the background. And firefox doesn't make it easy to figure out which tab is the culprit, so you just have to start killing them at random until the CPU usage goes down. At least until you learn from experience which websites have the offending javascript.

On many web sites I use the javascript is gratuitous. Eye candy and whatnot, or huge scripts to manage useless comment systems that I never use.

And why do I care? It makes the machine sluggish and burns through the laptop battery more quickly, and the laptop runs hot.

But Firefox can do what it wants - I still use noscript and adblockplus to selectively block scripts.

Re:Agreed

[Giorgio+Maone]

There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.

In what ways is NoScript more advanced than ScriptSafe?

Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works ;)