Firefox 23 Makes JavaScript Obligatory

mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."

Solution in extensions

[Verteiron]

As long as it doesn't break Noscript, I'm ok with this. It really IS folly to try to use the modern web without any javascript at all, but with Noscript I can still pick and choose which sites are allowed to run it in my browser.

Re:Solution in extensions

[djl4570]

I'm running FF23 beta on my personal system and NoScript is still working as before.

Re:Solution in extensions

[girlintraining]

I'm running FF23 beta on my personal system and NoScript is still working as before.

People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.

Web developers should continue to create websites that don't require javascript, and we shouldn't be in such a hurry to move away from that. The promise of the internet was accessibility, the ability to freely share information, and to connect everything together.

This push towards app-ification of the internet, the W3C caving to DRM in HTML5... it's after the very heart and soul of the internet. The internet we built, as hackers, as creatives, as professors, academics, researchers, scientists... it's being gutted. And Firefox, the white horse of the "free" internet, in it's 11th hour of need, chooses this?

They should be ashamed.

Re:why?

[Joce640k]

Maybe, maybe not ... but there's definitely a lot of privacy and distracting-advertising issues.

Javascript can still be disabled

They just removed the easy way to turn it off to prevent simple mistakes. You can still turn it off behind about:config or with extensions for those that need it.

The option is not removed.

(atleast in nightly) Its just hidden, you can still enable/disable javascript in the about:config menu and addons like noscript still work.

Simple != Dumb

[sjbe]

Why must we dumb down everything?

More like simplifying. Everything should be made as simple as possible but no simpler. Why have a menu option that never gets used? That is pretty much the definition of pointless. I'm pretty geeky and like to tinker with things but a menu option that never ever gets used is wasteful.

I cannot remember the last time I disabled Javascript and I'm pretty confident that somewhere north of 99.9% of users never disable it either. Much of the modern web would be useless without Javascript. So long as there remains a method (extension, etc) to disable it if desired (ala NoScript) I really don't see the big deal.

Re:why?

Yes.

Javascript is supposed to be sandboxed in all modern browsers, but that doesn't make it perfect. All the serious vulnerabilities I've seen over the past few years exploited the sandbox, and therefore required javascript to work.

Also there is private information WITHIN the browser. Being inside the sandbox, that information is thus provided to websites.

For example:

Browser fingerprinting, using your installed fonts, screen resolution, etc. http://panopticlick.eff.org/

Mouse pointer tracking with javascript: http://jsbin.com/ufupol/98

Capturing information entered into forms and then deleted before submitting: various analytics tools

Here's a random analytics provider I found on Google (There were plenty of others):

We capture every mouse move, click, scroll and keystroke, by using a tiny piece of JavaScript copied into your website. The whole process is completely transparent to the end user, and has no noticeable effect on your site performance.

http://www.clicktale.com/products/mouse-tracking-suite/visitor-recordings

I miss progressive enhancement

[Kethinov]

I miss the days when web developers still gave a shit about progressive enhancement.

I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.

I miss the days when you were only considered a good web web developer if your site was usable with both JS and CSS disabled because you used semantic HTML.

I miss the days when accessibility still mattered.

I miss the days when writing semantic HTML, enhancing it with CSS, and enhancing it further with JS was considered the best practice, rather than starting with just JS and an empty body tag as is so common today.

I miss the days before the now popular false dichotomy of thinking that progressive enhancement is extra work was popular among web developers.

I love that the web can do more now and compete with native apps better. But I hate that web developers are so quick to unnecessarily abandon progressive enhancement in the process when that's what made the web great to begin with.

Google doesn't "freely give" away information.

[Dputiger]

I've got no problem with your browser choice -- if you want to use Mozilla over Chrome, or IE over Firefox, hey, that's your call. But don't misrepresent the situation.

Google and Yahoo both pushed back hard against the NSA's programs. Yahoo went to court over it. You know what the court said? "Obey."

So what could Google do? You can't run an advertising business without having some information on your users. You can't run an email service without having access to the accounts. Yes, I suppose Google could have theoretically attempted to create a business in which everyone it served were direct customers of encryption services it provided (while explicitly saying that it couldn't decrypt traffic). Maybe that works for a startup, but you can't exactly transition a multi-billion dollar corporation to a direct customer model to avoid the NSA -- especially when you are legally prohibited from acknowledging that the NSA even spoke to you.

More than one of the companies that participate in Prism were forced to do so.

Re:why?

[Jah-Wren+Ryel]

ActiveX was actually smart in the way that it executed fast native code instead of slow interpreted Javascript.

Yeah, smart like in the way it is smart to give a gun to the guy mugging you with a his bare hands.

Yeah, focus is slipping

[Medievalist]

they're trying all kinds of stupid shit and this "the user is a stupid dolt" move from them is just the latest dick move

Disrespecting the end user is one of the stages of software development team meltdown.

Re:why?

[BitZtream]

IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.

Mozilla Gecko (the framework Firefox is built on) makes extensive use of XPCOM, which is functionally equivalent of ActiveX in every way, except that it works outside of Windows.

Some Firefox plugins are ... XPCOM objects.

XPCOM has been at the core of the Firefox design as long as I've seen the source (I was embedding gecko into apps in my former life, at least 7 years).

You have absolutely no idea what so ever what ActiveX is, nor do you have any idea what the actual problem with IE was that resulted in so many ActiveX related exploits.

ActiveX is a self describing plugin system which allows an application to load and potentially use a plugin without any prior knowledge, EXACTLY like XPCOM in Firefox. Again, they are 100% functionally the same.

Internet Explorer had retarded defaults (allow any unsigned activex to install without asking) to begin with, then those were 'fixed', and then the install without prompting exploits started, so malicious sites would install activex controls without your consent ... and then ... we also have to deal with all activex controls which were installed with improper ActiveX safety flags.

The safety flags were 2 flags set aside to allow an ActiveX control to say 'hey, I'm safe to use in Internet Explorer' and 'I'm safe to allow any random website to use me in IE!'. The morons in the Excel team (as one example) would, out of ignorance, flag all of their controls for Excel as safe for IE/safe for scripting ... so IE thought it was perfectly acceptable to load a control that will read and write random files on the drive. Every time a Windows Update patch for 'ActiveX killbits' comes out ... this is what they are talking about, changing the OS to ignore controls flagged as safe when they are known not to be.

Mozilla has no such support for flagging controls as safe for browser/safe for scripting. It tries to pretend it is an uncrossable barrier, but that is in fact no way the case.

So any time an 'ActiveX' issue comes up, you should be aware that it wasn't an ActiveX problem, it was an Internet Explorer implementation of ActiveX, and other developers bad code that was exploitable.

You really can't 'exploit' ActiveX any more than you can 'exploit' DLL or SO. You can exploit bad implementations of the loader.

Imagine if Firefox allowed web page scripting to automatically install Firefox plugins. Would you blame XPCOM then? Thats what you do when you blame ActiveX.

Finally, it makes you look fucking stupid when you blame ActiveX. All you do is make it clear that you don't actually know what the problem was, let alone understand what it was. You just sound like an ignorant drama queen.