Open Source and Javascript

← Back to Stories (view on slashdot.org)

Posted by Cliff on Thursday August 12, 1999 @04:40AM from the taking-javascript-to-the-next-level dept.

mr_burns asks: "I was wondering what people's opinions were about GPLing or otherwise OSS licensing javascript code. I have some pretty cool code I want to share with everybody, but I don't want to be screwed. I look forward to establishing a method of collaboration such that we can all take ECMA-262/javascript to the next level. Why should Slashdot and other DB driven sites rely on a servers processing power when the client machine is mostly idle? I think colaboration between client side and server side scripters in an OSS context could make things much more efficient. What pointers do the OSS community have that could guide the way, and what are your opinions on the matter? Thanks in advance for any feedback y'all can give." What do you all think? Is Javascript robust enough for this sort of thing?

38 comments

Min score:

Reason:

Sort:

AVOID Javascript and other executable content by Anonymous Coward · 1999-08-15 10:31 · Score: 0

Actually, the risk is in enabling Javascript or ActiveX on any web browser. Some people may swallow the pleasing arguments of the manufacturers' marketing agents in favour of these two proprietary technologies. However, real companies with assets to protect need to have a strict security policy to control the content of communications to and from networks including both intranets and the Internet. The type of content most likely to bring serious hazards is executable content such as Javascript. Many companies therefore have a security policy that forbids the use of Javascript et al in web browsers. Javascript et al have a history of serious security problems -- one of the best information sources on this topic is BugTraq's Ja vascript security problems.

Furthermore, many companies avoid using Javascript and ActiveX on their web sites because they do not want to lock out potential customers from companies that do not allow Javascript or ActiveX.

Remember, executable content is a security problem looking for a victim.

Signed, eb3916bc02f11be10143de045c5a0cc5
Re:Javascript-required Website = Lose Sales Fast! by jslag · 1999-08-18 23:42 · Score: 1

in a serious international forum like Slashdot it's unprofessional

Who knew?
Re:Javascript-required Website = Lose Sales Fast! by Anonymous Coward · 1999-08-21 03:18 · Score: 0

Surely the comment was tongue-in-cheek -- "in a serious international forum like Slashdot it's unprofessional" !!!!
No! Not Javascript... by JanneM · 1999-08-12 04:44 · Score: 1

Perhaps it's only me, but I find javascript fairly annoying. First of all, way too many sites uses it for gratuitous effects, like popping up fixed-size windows everywhere, irritating animated effects and the like. Second, I find that netscape crashes much more often if I have javascript activated. So for the forseeable future, I will not allow javascript and just stay away from websites that require it.

--
Trust the Computer. The Computer is your friend.
1. Re:No! Not Javascript... by Mr.+Slippery · 1999-08-12 05:03 · Score: 1
  
  Agreed! Javascript, as generally used, sucks - it serves no useful purpose and bloats pages, extending download times. Requiring Javascript to navigate a site is inexcusable.
  The browser is supposed to be a thin client. You want a site that has to do some data crunching, don't offload it on my Pentium 90 or my friend's 486 (yes, beleive it or not we don't all run 500 MHz PIII's with full T1 feeds), do it on your massively studly server box.
  
  --
  Tom Swiss | the infamous tms | my blog
  You cannot wash away blood with blood
2. Re:No! Not Javascript... by ptomblin · 1999-08-13 00:27 · Score: 1
  
  It's perfectly legit to have Javascript form validation. As long as you also have the same form validation on the server side that your forms still work for people who turn off Javascript.
  
  Even leaving aside the horrendous security implications of Javascript, I turn it off because if I don't, Netscape crashes about 18 times a day.
  
  --
  The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
3. Re:No! Not Javascript... by Mr.+Slippery · 1999-08-13 03:33 · Score: 1
  
  It's perfectly legit to have Javascript form validation. As long as you also have the same form validation on the server side that your forms still work for people who turn off Javascript.
  Exactly. And then the Javascript validation becomes redundant, right? I suppose you could have the Javascript send an extra flag that says, "Hey, I already checked this", with the intent that the server would then skip validation; but if your server's doing anything interesting, it can't afford to trust the client and has to recheck the data anyway.
  I did see a very nice use of Javascript today, though. The page had links to a whole bunch of large images, and moving the mouse cursor over a link brought up a thumbnail of the image. This made the page download faster, since you didn't have to grab thumbnails for all images - just the ones whose description interested you. And most importantly, the site would work just fine without the scripting.
  Unfortunately, I think that makes a grand total of about three sites I've seen that use Javascript well. B-
  
  --
  Tom Swiss | the infamous tms | my blog
  You cannot wash away blood with blood
4. Re:No! Not Javascript... by gn0me · 1999-08-12 19:58 · Score: 1
  
  Javascript is for CLIENT side transactions, you can't let the server-side do everything.
  
  There are uses for Javascript, such as form validation.
  
  If you do form validation on the server-side you are doing multiple _bad_ things:
  
  a) Waste of bandwidth
  b) Higher CPU usage on the server side due to dishing out pages, error pages and simple error checking
  
  Finally, Javascript IS lightweight, it just some people over use Javascript and do all sorts of cr*p with it.
  
  And like all things, you want a scripting language on your CLIENT as well as on your server.
  
  If you want to do low-level stuff, there are always plugins and API plugins that you can use on both the client and server side.
  
  Javascript is a good thing and the idea (of having a client scripting language) at least will be around for a long time.
5. Re:No! Not Javascript... by ptomblin · 1999-08-14 08:20 · Score: 1
  
  No, the javascript validation isn't redundant. It's done while the input is happening, so it's useful. Lets say you have a field that only allows integer input. With javascript, you could cause the input routine to throw anyway any non-numeric input, so they don't enter 'abc'. You still have to validate it on the server side, to make sure they didn't enter 'abc' because they had javascript turned off, but also to make sure they didn't enter a value greater than MAX_INT even with javascript turned on. The difference is that the javascript validation is immediate after every keystroke, and the server side validation is done after the entire field has been entered.
  
  --
  The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
GPL? JustDoIt. by SEWilco · 1999-08-12 08:25 · Score: 2

If you want to GPL your JavaScript, just include the GPL in your JavaScript. Well, there may be a few K of implementation difficulty...
Javascript-required Website = Lose Sales Fast! by Anonymous Coward · 1999-08-12 08:48 · Score: 0

Many businesses have a security policy which forbids the use of Javascript and ActiveX in web browsers due to the exceptional risks of malevolent attack raised by feeding your computer with someone else's Javascript or ActiveX (with or without signatures).

A web site which requires Javascript or ActiveX to view is locking out potential customers. Design a website using any standard HTML and you will be open for business from most PCs on the planet with a browser. Are you listening Odeon Cinemas UK?
1. Re:Javascript-required Website = Lose Sales Fast! by Crick · 1999-09-12 23:27 · Score: 1
  
  Oh, and the Odean site uses Flash, not javascript!
2. Re:Javascript-required Website = Lose Sales Fast! by Crick · 1999-08-13 19:00 · Score: 1
  
  I did read the source, Coward!
  
  To run Flash you need aftershock which uses some JavaScript. Nevertheless, the mouseovers and funny visual effects are all Flash. Hence the following line:
  
  
3. Re:Javascript-required Website = Lose Sales Fast! by Anonymous Coward · 1999-08-13 02:08 · Score: 0
  
  Read the source, Crick!
  
  <script language="JavaScript">
  
  Looks like Javascript to me.
4. Re:Javascript-required Website = Lose Sales Fast! by Anonymous Coward · 1999-08-16 02:36 · Score: 0
  
  Logic: Javascript required in web browser to view web site implies web site uses ..... language.
  Fill in the gap, Crick.
  
  Semantics: "document contains executable content, i.e. a plug-in"
  That's good except that executable content is not equivalent to a plug-in, rather it is executed by a plug-in.
  
  Spelling: "strenous", "noticable" and "Odean".
  How very edyukayshunel your lessons must be.
  
  Grammar: "thank-you for your offer from teaching me"
  Any time, Crick. I'm extending your reading assignment to include Fowler's Dictionary of Modern English Usage. Don't study too hard!
  
  Style: "Love and kisses..."
  Grovelling like this may appeal to cult members, Crick, but in a serious international forum like Slashdot it's unprofessional. Pull yourself together.
5. Re:Javascript-required Website = Lose Sales Fast! by Anonymous Coward · 1999-08-14 17:39 · Score: 0
  
  Pause to reply, Crick!
  
  The Odeon's web site is viewable only if you enable Javascript in your browser.
  
  If you like, Crick, I can recommend some good books to help you learn Javascript. It would be a pleasure to help. Actually it won't take long to learn enough to recognise when Javascript commands are being used on a web site. By the way, the line you quoted is actually an HTML comment.
  
  Have a nice day, Crick!
6. Re:Javascript-required Website = Lose Sales Fast! by Crick · 1999-08-16 16:29 · Score: 1
  
  I do apologise: you seem to have mistaken my last message as some sort of offer of friendship. I really must stop misleading the strange and alone. I mean, you even had the spare time to correct my grammar and spelling. How utterly charming!
  
  And you still seem to be denying that the Odean (oops, I really must learn to care about my spelling) web page uses Flash. I am utterly impressed: I wish I could lie to myself so convincingly just for the sake of an argument. You even stooped to the level of playing mere semantic games. Wow, this is life! I really feel I am slumming it with the plebs.
  
  Love and kisses (please don't misinterpret: this isn't any kind of offer) ...
Javascript is a robust language. by rwash · 1999-09-12 23:48 · Score: 1

Javascript is a strong scripting language. It has support for dynamic objects, associative arrays, regular expressions, OOP, and other nice programming features. It also has dynamic function definitions. As a scripting language, Javascript can hold its own pretty well. I have recently written some stand-alone stuff in Javascript, and javascript is a very good scripting language to do it in. This means that is also functions well as a server-side scripting language.

As far as Javascript in Browsers go, agree with the other posts that say javascript should be avoided in internet web pages. Using javascript in internet web pages limits the potential audience. Javascript can be used well in company intranets, though. (Where everything is fairly standardized so everyone is using the same browser with the same security settings). Javascript can make intranet sites become very useful to a company.

Be careful to seperate javascript as a language from any implementation of it. Just because IE's implementation of it produces staticly-sized text boxes does not mean that it is a bad language. That is just one way of using the language. The language itself has evolved to be a very powerful scripting language (not far behind perl in my opinion). The most common use of it just happens to be client-side web scripting. Try using javascript as a normal scripting language and the good design of the language will come through. Do not limit javascript to a client-side scripting language when it is so much better in other places.
Rick Wash
There are solutions... by Anonymous Coward · 1999-08-12 09:54 · Score: 0

Rhino comes to mind, it is a Java based Javascript compiler... or a Javascript to Java compiler deal. I'm not too sure, but I know it's out there and I'm not familiar with the license either. Sorry... but try searching on "Rhino" I recall some chatter on the jakarta mailing list as well as perhaps mozilla.org However, I'd move away from server-side javascript and dive straight into Java. Where you can use neat things like Java Servlets, JSP (Java server pages), JavaBeans, Enterprise JavaBeans, etc. etc. It's open, portable and great. If you are a small shop, then sure, go with a server-side solution (perl/php3/ss-javascript). But only Netscape has server-side javascript, it's their invention... Heads Up: Javascript has nothing to do with Java Although you can talk to Java objects through something called LiveConnect... another Netscape-ism.... My suggestion is to grab JRun for now... install it on linux and apache and have fun. Then you can wait for the fruitions of the Jakarta project to come through (jakarta.apache.org) and hopefully blackdown.org will have come out with a working JDK 1.2.x port by then.... or IBM gets a decent 1.1.7 or 1.1.8 port (stable, not decent...) Have fun! ;) I know I did....
1. Re:There are solutions... by gn0me · 1999-08-12 19:42 · Score: 1
  
  Doesn't anyone read this stuff?? ;)
  
  Anyway,
  
  I was bored so I found Rhino for ya....
  
  www.mozilla.org/rhino
2. Re:There are solutions... by gn0me · 1999-08-12 19:47 · Score: 1
  
  Here is the link to the C engine as well..
  
  Released under NPL... differs from MPL I suppose.
  
  http://www.mozilla.org/js/
Re:Answering the question... by Crick · 1999-08-13 19:17 · Score: 1
I would disagree with all three points you made about JavaScript:
- Scoping in JavaScript is relatively simple: if you declare outside a function then the variable is global. Within a function the variable is local. If you need more clarification, buy a book.
- I use JavaScript to write ASP pages all the time and its great for the job: quick, dirty code that usually works first time due to JavaScript's loose structure. Its much better than VBScript, anyway.
- I'll agree that JavaScript implementations vary between browsers and you often have to carefully test each page. But this is nothing that we don't have to do with HTML. In fact I have trouble writing browser compatible HTML than I do worrying about my client-side scripting.
Re:agreed by Anonymous Coward · 1999-08-13 20:28 · Score: 0

if using two languages is so troublesome, why don't you use JS in the server side. i believe that netscape has released both C and java based JS implementations (http://www.mozilla.org/js). in fact, i am currently evaluating JS as a scripting framework with java and JSP in the serverside.
Re:Javascript:- WARNING of Severe Security Risks by Anonymous Coward · 1999-08-15 10:47 · Score: 0

Security problems can threaten the existence of a company, whereas language design flaws tend to entrap only mediocre programmers. Of course, as a programmer you may not be much concerned with security management.
Huh? by IntlHarvester · 1999-08-15 11:24 · Score: 2

So one should worry that companies are using their Intranet web servers to steal "assets" from their own computers? OK.
--

--
Business. Numbers. Money. People. Computer World.
Re:Javascript is too dangerous for intra or intern by Anonymous Coward · 1999-08-13 20:35 · Score: 0

this is anal retentive thinking. the security problems with internet access are not acceptable to many companies too. i haven't seen any company pull down their website because it was cracked. you don't throw out the technology because of implementation bugs. you fix the problem.
just how dangerous is javascript? by Crick · 1999-08-12 09:06 · Score: 1

Not dangerous at all. I'll be the first to agree with you that Active X is a volatile technology. But I've been programming with JavaScript for a while and, as far as I can tell, the worst you are looking at is being involuntarily sent to someone else's smutty site. Which in itself isn't particularly dangerous (unless your company logs browser connections).

Maybe you could perform a denial of service attack by with an infinite loop but that is pretty tame in comparison to the types of things you can get up to with Active X

...not that I would know!
Javascript:- WARNING of Severe Security Risks by Anonymous Coward · 1999-08-13 03:47 · Score: 0

You need to learn the security risks of Javascript. An excellent place to learn about new security problems in general is BugTraq at www.securityfocus.com. Read what BugTraq has to say about Ja vascript security problems. It should be no surprise that technically aware companies usually have a computer security policy which bans the use of Javascript and ActiveX.
1. Re:Javascript:- WARNING of Severe Security Risks by zmooc · 1999-08-13 19:00 · Score: 1
  
  So you are saying that JavaScript causes a security-risk just because there are some buggy browsers around? Then I say C should be avoided because of my bad experiences with this and that commercial C-IDE. BULLSHIT!
  
  --
  0x or or snor perron?!
Re:Answering the question... by FigWig · 1999-08-13 22:44 · Score: 1

I seem to recall that variable in functions are local iff your declare them with 'var'.

--
Scuttlemonkey is a troll
Javascript is too dangerous for intra or internets by Anonymous Coward · 1999-08-13 04:14 · Score: 0

The security problems with any client-side scripting language including Javascript are simply not acceptable to most technically aware companies. Allowing Javascript on a company intranet is a security risk; the only way to remove the intrinsic security dangers is to forbid the use of Javascript in web browsers. References to Javascript security problems were given in this comment.
Thanks but no thanks! by Crick · 1999-08-15 16:57 · Score: 1

Hey, Coward!

While the Odean web-site is only viewable when JavaScript is enabled, it is, nevertheless, a Flash page. You can tell in a very simple way, so pay attention. First select View Page Source and you'll see this text window pop-up (don't be frightened, now). This contains the HTML tags that define the document.

Inside you'll notice an EMBED tag. Now, if I am not mistaken, this mean that the document contains executable content, i.e. a plug-in. With me so far? You'll also notice that the EMBED tag calls a file with the .SWF suffix. Now, here is the crux of my argument: SWF files are flash files! Hence, a flash page. You see, there is an application called AfterShock that inserts a SWF file in HTML for you and its work is noticable by the HTML comments it produces. (You could take a coffee break here if this is all too strenous).

Oh, BTW thank-you for your offer from teaching me some JavaScript. If you need some basic lessons in web-page content, however, you'll know exactly where to find me.

Love and kisses...
Re:Answering the question... by Crick · 1999-08-15 17:24 · Score: 1

No, if you make a var variable declaration outside a function then its scope is global.
Answering the question... by msuzio · 1999-08-13 07:33 · Score: 1

If the question was, "can I/should I GPL Javascript code", the answer is "yes". GPL or free everything you feel good about freeing, the more code the merrier.

If you were asking, "is Javascript a good language?", my answer is a qualified "maybe". JS is OK, but it doesn't thrill me. I like the prototype-based language, but overall it's caught in the middle between too OOP and too loose.

Problems I have with JS:

- Variable scoping is strange, and has never been clear to me.

- It's great as a browser scripting tool; it's not very good as a server-side tool *at all*.

- It's nominally standardized via ECMA, but Netscape keeps trying to leapfrog the standard and innovate at the speed of light (they're up to Version 1.4! I've never even used 1.3 stuff, and hardly ever used 1.2)

I'm not a big Javascript fan. I use it only because it's the only built-in scripter for the browsers out there. If there were a Perl/Python/Tcl DOM/scripting layer, I'd use that.

--
It's a strange world -- let's keep it that way
agreed by eries · 1999-08-13 09:53 · Score: 1

I do a lot of client-server programming (usually in PHP with a DB backend) and I can't tell you how much time I have wasted writing code to do the same thing in JS and in PHP just so that they can keep some data object in sync without server round-trips. I think that for web apps to go to the next level, we absolutely need some kind of interaction standard. I would fully support an OSS project on this, I think that is the only way it will ever get done.

And, before you flame, yes I do know about Java, CORBA, RMI, etc etc etc. These are way too heavyweight for what I'm talking about.

--
Can your IM do this?
Intranet JavaScript by IntlHarvester · 1999-08-15 00:02 · Score: 2

Actually, Internet Explorer has the ability to enable JavaScript (and ActiveX, etc) only for Intranet sites, and disable the risky stuff for all others. This can be all under central administrative control. (Mozilla 5 will apparently do the same thing.) Just because Netscape 4.x is feature defecient in this regard, it doesn't mean that Javascript can't be enabled safely in other situations.

The original poster is correct that the real sexy DHTML stuff is only really practical on an Intranet where you have complete control over the client browsers.

--

--
Business. Numbers. Money. People. Computer World.
Avoid executable content in web browsers by Anonymous Coward · 1999-08-16 02:43 · Score: 0

Threats to company assets can be of internal or external origin. For many companies that have a computer security policy, client-side executable content presents unacceptable levels of risk in both intranet and Internet environments. The serious security risks of using Javascript and other executable content in web browsers are explained elsewhere -- one of the best information sources is BugTraq's Ja vascript security problems.
Re:Javascript is too dangerous for intra or intern by Anonymous Coward · 1999-08-14 18:09 · Score: 0

i haven't seen any company pull down their website because it was cracked.

You misunderstand; the security problems exist mainly at the client side when you let someone else's web site feed your computer with hazardous Javascript. That's the real security risk. Internet access by itself is neither good nor bad. The solution is to have a company security policy to control the content of the communications to and from the Internet. That's why many businesses already have a security policy that forbids the use of scripting languages like Javascript and ActiveX by web browsers. Of course, if you don't have any assets to protect, you probably don't care about such security problems!

An excellent place to learn about new security problems in general is BugTraq at www.securityfocus.com Read what BugTraq has to say about Ja vascript security problems.