Firefox 23 Makes JavaScript Obligatory 778
mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."
why? (Score:3, Interesting)
Re:why? (Score:5, Insightful)
Maybe, maybe not ... but there's definitely a lot of privacy and distracting-advertising issues.
Re: (Score:3)
Re:why? (Score:5, Informative)
Not to mention it has the nice side effect of saving CPU cycles and preventing web pages from going unresponsive. I tend to enable JavaScript (since disabling it breaks too many sites) but I don't allow it to do anything outside of the web page with the browser itself (manipulate windows or context menus). Of course, none of this really matters, because I've been running NoScript for a few years now and the only sites that are ever allowed to run scripts are the ones I specifically allow to do so.
Re:why? (Score:5, Informative)
Flashblock (and to a lesser degree, AdBlockPlus) is excellent for reducing CPU usage.
Re:why? (Score:5, Informative)
I uninstalled NoScript years ago because of weird failures even with whitelisting. Essentially, I had to whitelist so much that NoScript became pointless.
NoScript is for porn surfing (Score:3)
Didn't you know?
Re:why? (Score:5, Interesting)
I get used to temporarily whitelisting things. It's really interesting to see just how much of the web is utterly dependent upon javascript for things that could be done without it. If you enable it all though, you're back to ubiquitous advertisements, tracking and privacy issues, and noticeable drops in performance. I don't need to see every site on the web anyway, so if I have to go and enable things to get it to work then half the item I'll just leave the site and never return; there has to be enough html there to give me the idea that enabling javascript is worth it. It's like TV, just because it's available doesn't mean you have to watch it.
Re:why? (Score:4, Informative)
I tend to enable JavaScript (since disabling it breaks too many sites) but I don't allow it to do anything outside of the web page with the browser itself (manipulate windows or context menus)
You don't do anything, that's by design.
Firefox 22, by default, allows JavaScript to do those things [mozilla.org].
Re:why? (Score:5)
No. This is completely unacceptable. FireFox is my browser of choice, and I don't block JS, but there's no reason whatever I should have to go to a third party if I decide to.
What's next, I'll have to DL the HTML and strip the JS out of the source and run it locally?
Unless Mozilla changes these terrible plans, I'll have to use a different browser. There's no reason whatever to remove this feature.
My answer isn't no, it's HELL NO and fuck you, Mozilla. If you want me to continue using your products you'll grow a brain and think of your users, not your Google sugardaddy.
Re:why? (Score:4, Informative)
They're talking about removing that functionality.
Where? I read pretty much everything related to this.
Some clarifications:
- This preference is still available in about:config.
- There are add-ons such as NoScript or SettingSanity that will do what you want with more easily accessible UI.
Note that the capability to enable/disable JavaScript easily will return in Firefox 24’s developer tools.
Re: why? (Score:5, Insightful)
Ever have a rogue script on some shitty web site take up 100% of one of your cores, with no easy way to figure out what page it is because you've got several tabs open? Hell, good luck finding out if that bad script is even running directly on one of those pages--chances are it's not, it's some third-party completely unneeded junk running on another domain entirely. NoScript has pretty much eliminated this problem.
I have a dual-core 2 GHz processor and, trust me, when you've effectively got only one useful core because the other one is overloaded... you know it. Never mind the fact that it's not good for the hardware to be running a core at full power/heat all the time, not finding out until it's been burning power for an hour, two, three, or who knows how long. Should I really have to worry about some script running without my knowledge when I go to sleep just because I happened to leave Firefox running with a few dozen tabs open?
And why the hell would I get a second computer if I can solve the problems on the one I have?
Re:why? (Score:4, Insightful)
Now this furore is a little silly.
Hey! Word to the wise: about:config I doubt the feature is actually removed...
I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.
Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.
Re:why? (Score:5, Informative)
Now this furore is a little silly.
Hey! Word to the wise: about:config I doubt the feature is actually removed...
I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.
Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.
Not according to my button plugin [blogspot.com] of choice's author. He indicates it is a change in the API that will make his plugin inoperable.
Re:why? (Score:5, Interesting)
crap....so noscript also?
Re:why? (Score:5, Insightful)
Seriously, for me: No NoScript = No Firefox.
I'll fuck off and use a different browser.
Re:why? (Score:5, Interesting)
The fork already happened, ages ago. Seamonkey is the Mozilla fork that happened when the Firefox devs decided to go crazy and start stripping out useful stuff. [seamonkey-project.org]Download Seamonkey [seamonkey-project.org] and use it. It's very up to date because it's based on the same code from Mozilla as Firefox. Also, it has the Composer and Email and other integrated stuff intact.
And NoScript runs on it.
Re:why? (Score:5, Insightful)
Do you realize just how much of a pain in the ass Firefox has become over the years due to Mozilla's insistence of removing and changing features along with the ability to change them back with the GUI? Instead we have to deal more and more (and more...) with a cryptic Mozilla equivalent to the Windows or GNOME registry. I bet you love the registry if you have no problem with about:config being even more heavily used. It was fine when it was reserved primarily for "special" options... but more and more, it's becoming like GNOME where it has to be used for damn near every fucking thing. All because Mozilla, for whatever reason, feels to go down the Google/GNOME path of dumbing their browser down to hell and back.
Re:why? (Score:4, Insightful)
Re: (Score:3, Insightful)
Google doesn't "freely give" away information. (Score:5, Informative)
I've got no problem with your browser choice -- if you want to use Mozilla over Chrome, or IE over Firefox, hey, that's your call. But don't misrepresent the situation.
Google and Yahoo both pushed back hard against the NSA's programs. Yahoo went to court over it. You know what the court said? "Obey."
So what could Google do? You can't run an advertising business without having some information on your users. You can't run an email service without having access to the accounts. Yes, I suppose Google could have theoretically attempted to create a business in which everyone it served were direct customers of encryption services it provided (while explicitly saying that it couldn't decrypt traffic). Maybe that works for a startup, but you can't exactly transition a multi-billion dollar corporation to a direct customer model to avoid the NSA -- especially when you are legally prohibited from acknowledging that the NSA even spoke to you.
More than one of the companies that participate in Prism were forced to do so.
Re:Google doesn't "freely give" away information. (Score:4, Insightful)
Google is the company pressing in court to be able to talk about NSA gag letters. They were doing it, Pre-Snowden. That's not significant?
The bigger point, however, is that Google didn't have a choice. Microsoft didn't have a choice. Yahoo didn't get a choice. And if the NSA/FBI start gunning for Mozilla, Mozilla won't have a choice, either..
Re: (Score:3)
According to Snowden's slides, it even allowed NSA to tap it's servers for real time indexing for PRISM.
Re:why? (Score:5, Informative)
the NSA more or less demanded google hand it over. Google has done more than most companies to fight NSA seizure of their data.
more than microsoft, who after aquiring skype centralized the protocol, and put a back door in it.
Re: (Score:3, Informative)
One of the main reasons I switched to Firefox in the beginning was because they seemed to understand that NOT doing something stupid was preferable to layers and layers of patches for the stupidity.
IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.
Firefox avoided the entire security issue by allowing functionality to be disabled. While you cannot be 100% certain that XYZ feature had no security issues (or
Re:why? (Score:5, Informative)
IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.
Mozilla Gecko (the framework Firefox is built on) makes extensive use of XPCOM, which is functionally equivalent of ActiveX in every way, except that it works outside of Windows.
Some Firefox plugins are ... XPCOM objects.
XPCOM has been at the core of the Firefox design as long as I've seen the source (I was embedding gecko into apps in my former life, at least 7 years).
You have absolutely no idea what so ever what ActiveX is, nor do you have any idea what the actual problem with IE was that resulted in so many ActiveX related exploits.
ActiveX is a self describing plugin system which allows an application to load and potentially use a plugin without any prior knowledge, EXACTLY like XPCOM in Firefox. Again, they are 100% functionally the same.
Internet Explorer had retarded defaults (allow any unsigned activex to install without asking) to begin with, then those were 'fixed', and then the install without prompting exploits started, so malicious sites would install activex controls without your consent ... and then ... we also have to deal with all activex controls which were installed with improper ActiveX safety flags.
The safety flags were 2 flags set aside to allow an ActiveX control to say 'hey, I'm safe to use in Internet Explorer' and 'I'm safe to allow any random website to use me in IE!'. The morons in the Excel team (as one example) would, out of ignorance, flag all of their controls for Excel as safe for IE/safe for scripting ... so IE thought it was perfectly acceptable to load a control that will read and write random files on the drive. Every time a Windows Update patch for 'ActiveX killbits' comes out ... this is what they are talking about, changing the OS to ignore controls flagged as safe when they are known not to be.
Mozilla has no such support for flagging controls as safe for browser/safe for scripting. It tries to pretend it is an uncrossable barrier, but that is in fact no way the case.
So any time an 'ActiveX' issue comes up, you should be aware that it wasn't an ActiveX problem, it was an Internet Explorer implementation of ActiveX, and other developers bad code that was exploitable.
You really can't 'exploit' ActiveX any more than you can 'exploit' DLL or SO. You can exploit bad implementations of the loader.
Imagine if Firefox allowed web page scripting to automatically install Firefox plugins. Would you blame XPCOM then? Thats what you do when you blame ActiveX.
Finally, it makes you look fucking stupid when you blame ActiveX. All you do is make it clear that you don't actually know what the problem was, let alone understand what it was. You just sound like an ignorant drama queen.
Re:why? (Score:4, Insightful)
Indeed, the absense of NoScript is a security issue.
Re:why? (Score:4, Insightful)
Re:why? (Score:5, Insightful)
Isn't the part about enabling malicious code by default stupid enough?
It's more of the "globally disabled EXCEPT for a whitelist maintained by the user".
It's the security methodology that is the difference.
Global enable vs global deny.
And Microsoft had the exact same reasoning behind their global enable. It makes it easier for THIRD PARTIES to present their content in the way that they want to the user.
That's almost acceptable when those THIRD PARTIES are trustworthy.
But those THIRD PARTIES could just as easily be crackers. And why make it easier for crackers to run their code on your computer in the way that they want to?
Re:why? (Score:4, Funny)
Re: (Score:3)
ActiveX involves installing "3rd party" native code modules to get the desired functionality.
Javascrip
Re: (Score:3)
What exactly was "stupid" about ActiveX aside from potential malicious code (either directly or via overflows) that was either enabled by default or presented to the user with a "just click yes so the website will work" style input box? Firefox "avoided" this by not implementing ActiveX but most or all of the functionality was recreated in Javascript, giving it basically the exact same level of "stupid" with the benefit of having learned from about 10 years of exploits.
How about the fact that scripts could invoke any ActiveX object on the system that was marked as "safe for scripting" without any user interaction? Bugs in those components have plagued IE users with drive-by installations of malware. This is why ActiveX killbits were developed and are updated all the time.
Letting an ActiveX control run is equivalent to giving that web page full control of your computer. The only sandbox is UAC, and that has been proven to be full of holes.
Re:why? (Score:5, Insightful)
ActiveX was actually smart in the way that it executed fast native code instead of slow interpreted Javascript.
Yeah, smart like in the way it is smart to give a gun to the guy mugging you with a his bare hands.
Re:why? (Score:5, Informative)
Yes.
Javascript is supposed to be sandboxed in all modern browsers, but that doesn't make it perfect. All the serious vulnerabilities I've seen over the past few years exploited the sandbox, and therefore required javascript to work.
Also there is private information WITHIN the browser. Being inside the sandbox, that information is thus provided to websites.
For example:
Browser fingerprinting, using your installed fonts, screen resolution, etc. http://panopticlick.eff.org/ [eff.org]
Mouse pointer tracking with javascript: http://jsbin.com/ufupol/98 [jsbin.com]
Capturing information entered into forms and then deleted before submitting: various analytics tools
Here's a random analytics provider I found on Google (There were plenty of others):
We capture every mouse move, click, scroll and keystroke, by using a tiny piece of JavaScript copied into your website. The whole process is completely transparent to the end user, and has no noticeable effect on your site performance.
http://www.clicktale.com/products/mouse-tracking-suite/visitor-recordings [clicktale.com]
Re: (Score:3, Insightful)
Not to nitpick, but those are privacy issues, not security issues. They aren't mutually exclusive of each other, but they aren't the same either.
Re:why? (Score:5, Insightful)
When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.
Re:why? (Score:5, Informative)
Not to nitpick either, but they're both.
When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.
Yes, JS is scary, but that bit of marketingspeak is a bit over the top: they can't see *every* click/keystroke/etc; just the ones that involve interacting with their site content. And, if you have to worry about them watching you use their site, you hopefully will leave before giving them any important information anyway.
Re:why? (Score:5, Insightful)
Some sites have java script that disables context menus (right mouse button) and other things that I don't want. That's why I want to be able to control what my browser does and turn java script off if that gives me a better user experience.
Re:why? (Score:5, Insightful)
Are there still security issues with having JS enabled?
Javascript is used by most malware installation systems. The typical route is that a trustworthy hacked site is modified to include a <script> tag with its source on the malware hosting domain. The resulting script will then use some mechanism to attempt to install malware, either simply dropping an executable download on the visitor and hoping they run it, or attempting to exploit either a browser or a browser plugin bug. Turn off javascript, and the exploit is never downloaded, so can't run.
There are also direct browser attacks that would require javascript to function, e.g. http://www.mozilla.org/security/announce/2013/mfsa2013-53.html [mozilla.org] or http://www.mozilla.org/security/announce/2013/mfsa2013-46.html [mozilla.org] (to pick a couple from the last month or two).
So, yes, your system is still less secure if you have JS enabled than if you don't.
Re: (Score:3)
So... It's a bad idea to play golf?
Re:why? (Score:4, Interesting)
Are there still security issues with having JS enabled?
Even if Javascript is 100% secure, running in an airtight jail, it's still using up resources on my computer. Sometimes if you leave a JS page open overnight, it will be pegging one of your CPU cores in the morning.
Re: (Score:3)
Yes. Forgot about this bit. NoScript isn't just about security. It's also about performance. A lot of the extra nonsense that sites run just isn't necessary. It doesn't significantly impact the desired user experience to have all of that random crap turned off.
It's much like food labeling or processes running on your PC.
If you don't recognize it, chances are that it's to be avoided.
Re:why? (Score:4, Interesting)
I've adopted that attitude when grocery shopping. I figure that if I feel a need to consult my old BioChem text to figure out just what that ingredient is, I shouldn't be eating it.
Re: (Score:3)
Had this happen more than once. I don't think it's really possible to figure out which tab is running the offending code. I wind up bookmarking the lot, bouncing the browser, and reloading each previously opened tab with the idea that, today, I'll finish reading that web page and can close the tab and keep the JS from pegging the CPU again.
Re: (Score:3)
you can do all kinds of funny stuff with javascript, like use the computer for calculations, redirect the user to content he doesn't want randomly, fuck around with adverts...
personally I don't understand this choice from mozilla, it's removing choice that could just as well have been buried a little deeper.
it just shows how fucking out of touch current mozilla is. it's showing up on their % rate too, so they're trying all kinds of stupid shit and this "the user is a stupid dolt" move from them is just the
Yeah, focus is slipping (Score:5, Insightful)
Disrespecting the end user is one of the stages of software development team meltdown.
Re: (Score:3)
There are if the browser has a security bug.
Security bugs that don't require Javascript are less common.
Re:why? (Score:5, Informative)
Are there still security issues with having JS enabled?
Fresh from the summary of the upcoming BlackHat talk by Jeremiah Grossman, A Million Browser Botnet [blackhat.com]:
With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. [...] no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way.
Re:why? (Score:5, Interesting)
Except I don't have to avoid Javascript entirely.
I can do it selectively.
I can decide who to let into my circle of trust.
Given what kind of random crap seems to be on modern websites these days. That's a very good idea. It's not paranoia when people really out to get you. Trying to deny the danger is the position that's really out of touch with reality.
YOU are the one that's a danger to self and others, not me.
Juvenile insults won't change that.
Solution in extensions (Score:5, Interesting)
As long as it doesn't break Noscript, I'm ok with this. It really IS folly to try to use the modern web without any javascript at all, but with Noscript I can still pick and choose which sites are allowed to run it in my browser.
Re:Solution in extensions (Score:4, Interesting)
How well do screen readers deal with javascript?
I am almost certain it is poorly, as we add more shiny and BS we reduce usability for a lot of folks. Well we actually reduce usability for everyone, but for some people usability goes to zero.
Re: (Score:3)
I guess then I just tell you to get off my lawn?
It was just easier to find information before web2.0. I can't even count the times I have had to use the google cache without images to get the information I needed that was hidden behind all kinds of web2.0 gibberish.
I like this future a lot, I hate what it did to the informative parts of the web.
Re: (Score:3)
Re: (Score:3)
And not just for blind folks either, but for touchscreens too!
Re:Solution in extensions (Score:5, Informative)
Re:Solution in extensions (Score:5, Insightful)
I'm running FF23 beta on my personal system and NoScript is still working as before.
People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.
Web developers should continue to create websites that don't require javascript, and we shouldn't be in such a hurry to move away from that. The promise of the internet was accessibility, the ability to freely share information, and to connect everything together.
This push towards app-ification of the internet, the W3C caving to DRM in HTML5... it's after the very heart and soul of the internet. The internet we built, as hackers, as creatives, as professors, academics, researchers, scientists... it's being gutted. And Firefox, the white horse of the "free" internet, in it's 11th hour of need, chooses this?
They should be ashamed.
Re: (Score:3)
As for the internet others built and you used for (like a parasite), stop complaining, it was never yours in the first place.
You're right. It was meant for everyone. The ultimate expression of democracy, and freedom of information... not parasites like you who are only interested in money and your own selfish desires. But like so many other communication mediums to come before it... it was filled with promise, but ultimately corrupted by people like you. The printing press was supposed to bring education and knowledge to the masses -- and yet the first thing published was the bible. Books filled with knowledge were burned, and th
Re:Solution in extensions (Score:5, Insightful)
People seem to be forgetting that javascript can break a lot of accessibility readers. Everything about HTML, CSS, etc., was about separating content from layout. Javascript shits on that entire model, as does Java, ActiveX, and most other plugins.
That's because it was a shit model. Clear, yes, simple yes, all that useful for doing stuff, not so much.
You seem to forget that HTML, CSS, etc is for webpages, not applications.
If you don't like what HTML, CSS, etc model and want your stuff to behave like an application... then write a fucking application instead! ... and get the hell off my lawn, too.
Re:Solution in extensions (Score:5, Funny)
Re:Solution in extensions (Score:4, Funny)
protip: rusty ones are scarier
Re:Solution in extensions (Score:4, Informative)
Just sharpen the tip of the tines so they shine. You thought rusty was scary, but rusty but recently sharpened? That gives you a whole extra level to work with.
Re:Solution in extensions (Score:4, Insightful)
The folly is in writing pages that cannot be viewed without javascript. If you want to run software, run it on your computer, not mine, because I don't trust your code.
And anyway, there's very little that actually uses javascript for anything useful. Most sites that are unusable without javascript could have easily been coded to be usable. Are drop down menus really so critical? If anything there needs to be more pushback against sites that don't degrade gracefully, not less.
Re:Solution in extensions (Score:4, Interesting)
The folly is in writing pages that cannot be viewed without javascript.
The folly is assuming that the internet is still all "web pages" instead of applications. There are plenty of useful web applications around, and I develop one of them. There isn't a non-Javascript alternative to it, it has around 1.5MB of (unminified) Javascript code written by us (plus about the same for third-party frameworks) and relies on maybe a total of 4 actual HTML pages (index, a dedicated non-JS login form, and 2 content launchers), which usually do nothing except load various Javascript interfaces. This is a software-as-a-service platform, we develop and host the software and other companies and organizations pay us to set up an installation for them to use (and us to maintain).
If you want to run software, run it on your computer, not mine
You're the one using the interface, you execute it. I'm happy to execute all of the actual logic for the application on the server, but your browser is more than capable of rendering the interface. Even IE6 could handle this thing (slowly).
And anyway, there's very little that actually uses javascript for anything useful.
I hear that sentiment periodically. It's complete bullshit. Google's services are the obvious screaming example of useful Javascript. Hell, Google's push for faster Javascript in Chrome, which bled over to the other browsers after they got left in the dust by V8, is the reason why browsers are so fast with Javascript today. A prime example of Javascript making a site more usable is Facebook, regardless of your personal opinion of social networks in general or Facebook's corporate policies. Imagine if every time someone clicked the Like button, the entire page reloaded. That's obviously not usable. There are plenty of sites and applications that interact with users in similar ways (small individual actions on a much larger interface) where it would be stupid to not use Javascript to keep the data transfer and response times to a minimum.
Re: (Score:3)
There are plenty of useful web applications around, and I develop one of them.
I've never used a web app that was better than the native alternatives. Chances are if you built a native networked app with portable code your app would be a lot better.
your browser is more than capable of rendering the interface. Even IE6 could handle this thing (slowly).
Speed wasn't my complaint. Security is. But it is worth noticing that browsing gets a lot faster when javascript is turned off.
Google's services are the obvi
Re: (Score:3)
I've never used a web app that was better than the native alternatives. Chances are if you built a native networked app with portable code your app would be a lot better.
Thanks, I'll keep that in mind for our online university system. It's always helpful to get fundamental architecture suggestions from any random person who doesn't know the requirements. You might enjoy producing an application that will work on 99% of operating systems currently in use and keeping that thing updated, but I think I'll stick to a model that doesn't depend on the OS or the users to update their clients.
Speed wasn't my complaint. Security is. But it is worth noticing that browsing gets a lot faster when javascript is turned off.
That sort of depends what you're doing. Going back to the Facebook example, it would use
Re:Solution in extensions (Score:5, Insightful)
Sure
Or not use their web site at all.
It's all anecdotal, but it seems that I get far fewer virus infections than many people that just blindly turn it on.
Re: (Score:3)
The folly is assuming that the internet is still all "web pages" instead of applications.
If that's your assumption, that's your problem. I come from a time before "the web" and the Internet WAS applications. And now we have an application called a "web browser" whose job is to render a MARKUP language, not be a remote compute server for people who want to provide content that looks exactly like they want it to look and do it without consuming CPU cycles on their precious servers. The comment about turning javascript off on a browser being as stupid as turning HTML off is just ridiculous. The b
Re:Solution in extensions (Score:5, Insightful)
The folly is in writing pages that cannot be viewed without javascript.
The folly is assuming that the internet is still all "web pages" instead of applications.
The irony is that you're assuming that he's not making a distinction between classic pages of content and applications when he says "pages".
Google's services are the obvious screaming example of useful Javascript.
Google is a perfect example because their primary namesake service works without Javascript. The other services would be a PITA to implement fallback on, you'd basically be implementing them all over again, so there's at least a good excuse for not handling that case. What I think most people are upset about (here I go making assumptions) is pages of content that don't need Javascript which are designed to require Javascript for one reason or another — usually either as a means of forcing advertisements on viewers, or because it's easier than doing the same thing in CSS, even though that is completely possible.
There are plenty of sites and applications that interact with users in similar ways (small individual actions on a much larger interface) where it would be stupid to not use Javascript to keep the data transfer and response times to a minimum.
What's stupid is not using a content management system which can gracefully degrade to HTML. Even Drupal and Wordpress manage to achieve this in most cases. My website has AJAX page loading and all that fancy crap, but it also works perfectly fine if you disable javascript. It just takes more full page loads. These things exist and you don't even need to pay for them if you're cheap, which is a condition with which I can identify. If your whole site depends on quick response to a feature (to use your example, the "like" button on facebook) then you have a clear reason to require Javascript. But contrarily, a newspaper which fails to show me news content when I disable Javascript is demonstrating to me that their function is not to show me news, but to show me advertisements. This is not shocking, but it disinterests me in their content.
TL;DR if your webpage can reasonably degrade to plain HTML+CSS (or even HTML) and it doesn't, then you're just making bullshit excuses; if it reasonably requires Javascript, then users will reasonably enable Javascript.
Re: (Score:3)
As long as it doesn't break Noscript, I'm ok with this. It really IS folly to try to use the modern web without any javascript at all, but with Noscript I can still pick and choose which sites are allowed to run it in my browser.
The one thing that NoScript is missing is the option to say "if the site imports scripts from fewer than X domains, just run them all". That would smooth the process out quite a bit. Sites that import from 25 different domains just for the privilege of taking over my monitor to display ads don't even deserve the CPU cycles that Adblock Plus will spend on them.
hands in your pockets (Score:3)
Glenn Gould used to take a lot of flack for refusing to shake people's hands even though we all know that you can't go through life refusing to shake hands. Perhaps he had a good reason?
Even if you're less of a sociopathic hypochondriac than Glenn Gould, there's still an issue concerning how automatically one reaches out. I'm a little more hesitant to offer my mitt to a vagrant person who's just popped out a discrete alleyway with flecks of an old newspaper stuck to their shoe. Colour me paranoid. And y
Re: (Score:3)
+1
I'm fine with this so long as noscript can still disable JS for whatever sites I specify (which is all until I whitelist them). In fact, this is the main reason I still use firefox at all. If this goes away, then for me there's really no point in using firefox any longer.
Re: (Score:3)
Noscript has an "allow all scripts on this page" feature you can use when you're desperate to use a heavily web 2.0 (I always think "web patooey", but maybe that's just me).
Using a Noscript-enabled browser is useful for letting you know what a webpage is actually doing. If there's dozens of required dependencies I'll often just go somewhere else.
Re:Noscript is useless (Score:4, Insightful)
Eh, no. Steps 1-2 happen, step 3 is when you note you've suddenly got 48 guys from seedy domains that sound vaguely like STD's slobbering all over over your keyboard and you slowly back away, disabling javascript from the first two again and hope you didn't catch something.
No site requires javascript from 48 other sites to show you something you want to see. That code is there to show someone else something about you, monetize you, violate your privacy, etc, and once you're past half a dozen sites it's far beyond too creepy to be worth it.
Re: (Score:3)
They just removed the UI - this doesn't affect things like Firebug, Noscript, and they *probably* didn't even remove the UI completely - if you can call about:config a UI.
Re:Agreed (Score:5, Informative)
There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.
In what ways is NoScript more advanced than ScriptSafe?
Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter [noscript.net], the ClearClick anti-Clickjacking technology [noscript.net] and the Application Boundaries Enforcer [noscript.net] module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works [informaction.com] ;)
Let's dumb it down for everyone (Score:4, Insightful)
Why is this a thing?
Why must we dumb down everything?
Simple != Dumb (Score:5, Insightful)
Why must we dumb down everything?
More like simplifying. Everything should be made as simple as possible but no simpler. Why have a menu option that never gets used? That is pretty much the definition of pointless. I'm pretty geeky and like to tinker with things but a menu option that never ever gets used is wasteful.
I cannot remember the last time I disabled Javascript and I'm pretty confident that somewhere north of 99.9% of users never disable it either. Much of the modern web would be useless without Javascript. So long as there remains a method (extension, etc) to disable it if desired (ala NoScript) I really don't see the big deal.
Re: (Score:3, Insightful)
Just because you don't use that options doesn't nobody else does. And im pretty confident that that 99.9% figure of yours is wrong, i myself and other people have disabled javascript explicitly and as shocking as it may sound, most sites do NOT need javascript to function properly, and most of those who do are not worth it.
Re:Simple != Dumb (Score:4, Insightful)
When you try to substitute fortune cookie slogans for reasonable argument only idiots will listen to you.
Re: (Score:3)
Ah the "Dumbing Down Excuse" which is akin to the Intentionally Make it more difficult preference.
Making something easier to use isn't always dumbing it down. For Disabling Javascript (Not just blocking some of it), it is a feature that most people will no longer, if they do they intentionally put themselves in a disadvantage.
Re:Let's dumb it down for everyone (Score:4, Insightful)
Because if you don't, a significant number of "dumb" people will complain loudly that your program "sucks" because it "broke the Internet" on their computer, and slowly the world's view of your software will degrade.
Rightly so, if your web page demands to run arbitrary code on other people's computers. And isn't smart enough to detect (like many sites already can) that the reason why the user isn't getting "an optimal web experience" is because he's turned javascript off, and you can't be arsed to tell him how to turn it back on and why he should.
And then leave the decision in the hands of the user, not the browser writer.
Javascript can still be disabled (Score:5, Informative)
They just removed the easy way to turn it off to prevent simple mistakes. You can still turn it off behind about:config or with extensions for those that need it.
Re: (Score:3)
To be honest, the amount of time I have been called out because someone "internet browser isn't working", the usual problem is someone has disabled images of JS.
The option is not removed. (Score:5, Informative)
(atleast in nightly) Its just hidden, you can still enable/disable javascript in the about:config menu and addons like noscript still work.
Please enjoy your drive-by infections (Score:3, Insightful)
Ad networks are compromised all the time. Ads are the primary users of javascript. Coincidence?
Who gives a shit if websites break when java or javascript are turned off. I turn that shit off as much as possible, I use NoScript becuase I despise the fact that no matter how careful I am, no matter how up to date I run my antivirus, my browser, and my JRE, I can STILL get a goddamned drive by infection if I allow javascript to run unchecked.
No, Blowzilla, the problem is NOT with users clicking things they have no idea about, the problem here is JAVASCRIPT. Its just another ActiveX, its just another virus vector. It needs to be eliminated from use entirely. It SHOULD ask permission to run by default. That way websites can at least put in a message "To see video you need to say Yes to this." "To read this article you need to say yes to this." and the ad networks can start working around things by going BACK to gifs and static ads and links instead of crap that blares through my speakers about shit I do not care about (seriously, is everyone coming to Slashdot a big corporate IT manager in charge of buying new server racks? IBM and others seem to think so) while using fast-moving images (hey just like the BLINK tag but with pictures!) to try and distract me from...the CONTENT.
Seriously, this is a retarded move, thank you Mozilla for INCREASING the number of infected machines on the web. I am sure the Russians and other blackhat collectives thank you.
Morons.
Really, they should make it easier to do (Score:5, Interesting)
Personally, what *I've* always wanted is a way to turn JS on and off that's more easily accessible. I often want it off, to try to get more consistent behavior (whizzy JS crap is often completely non-standard and confusing), but every now and then I need to flip it on to see if the apparent breakage is because some lazy programmer didn't feel like thinking about how things degrade.
But Mozilla seems determined to alienate users like myself, so this current bonehead move is hardly a surprise.
And yes, many "modern" web sites these days seem to require javascript-- thanks to google who made it ultra-cool and groovy.
Hasn't this ship sailed? (Score:4, Interesting)
I'm a web developer and have taken JS & CSS for common for years and years now. Spent about 6y working at a small local web design shop and it just wasn't feasible to double contract amounts to make sites work without JS.
That said, there's no reason to require JS if it can be done without. Lots of page book-keeping, like menus, active page indicators, etc, can be done with CSS. Some stuff, like Amazon's polygonal focus on subnav can degrade nicely. Fantastic. But I'm not going to build an Ajax-y interface AND a static HTML interface (for free) to coddle people with nothing more than a distrust of JavaScript.
Re:Hasn't this ship sailed? (Score:4, Insightful)
I miss progressive enhancement (Score:5, Interesting)
I miss the days when web developers still gave a shit about progressive enhancement.
I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.
I miss the days when you were only considered a good web web developer if your site was usable with both JS and CSS disabled because you used semantic HTML.
I miss the days when accessibility still mattered.
I miss the days when writing semantic HTML, enhancing it with CSS, and enhancing it further with JS was considered the best practice, rather than starting with just JS and an empty body tag as is so common today.
I miss the days before the now popular false dichotomy of thinking that progressive enhancement is extra work was popular among web developers.
I love that the web can do more now and compete with native apps better. But I hate that web developers are so quick to unnecessarily abandon progressive enhancement in the process when that's what made the web great to begin with.
Re:I miss progressive enhancement (Score:4, Insightful)
I miss the days when web developers still gave a shit about progressive enhancement.
I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.
I miss the days when you were only considered a good web web developer if your site was usable with both JS and CSS disabled because you used semantic HTML.
I miss the days when accessibility still mattered.
I miss the days when writing semantic HTML, enhancing it with CSS, and enhancing it further with JS was considered the best practice, rather than starting with just JS and an empty body tag as is so common today.
I miss the days before the now popular false dichotomy of thinking that progressive enhancement is extra work was popular among web developers.
Those days never existed. Seriously, do you remember what things were like back in the 90s? Or the early 00s? It's a bit early for the rose coloured blindfold to drop I think.
Re: (Score:3)
The web worked like that for roughly 5 years in the early nineties. Then people outside the academic and military industries started u
Re: (Score:3)
I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.
That sure never happened.
Stop Feeding the Troll! (Score:5, Interesting)
Stop posting this "user's" aka Dice's stories on Slashdot! His entire history of posts all link to the user's own i-programmer.info site in order to generate traffic and ad impressions. Enough is enough already!
If this breaks NoScript, I'll stop using FF (Score:3)
I use NoScript to browse with JS disabled and only turn it on for sites I trust/want to get something done with.
If this change breaks NoScript, I'l switch to Chrome.
what about the cache? (Score:3)
Nevermind JS. Did they fix the cache problems already?
noscript (Score:4, Informative)
Anyone writing a javascript application should know to add a <noscript> tag to the page embedding the scripts.
<noscript><p>This page is built using Javascript, but it seems that you have Javascript disabled on your browser. Please enable Javascript and refresh this page to continue.</p></noscript>
I think that's a much more robust approach. The user understands what's going on, and you don't have to rely on every browser preventing Javascript from being disabled.
Sigh. I prefer to block javascript.. (Score:4, Insightful)
My main beef is that I may have 30-40 tabs open, and find the browser consuming 50% CPU on the laptop - all because of misbehaving javascript that runs and performs useless updates in the background. And firefox doesn't make it easy to figure out which tab is the culprit, so you just have to start killing them at random until the CPU usage goes down. At least until you learn from experience which websites have the offending javascript.
On many web sites I use the javascript is gratuitous. Eye candy and whatnot, or huge scripts to manage useless comment systems that I never use.
And why do I care? It makes the machine sluggish and burns through the laptop battery more quickly, and the laptop runs hot.
But Firefox can do what it wants - I still use noscript and adblockplus to selectively block scripts.
Re: (Score:3)
Well wait, what do you mean by "web site"? If you just mean a page that you visit on the net to primarily read text (possibly with images) then I agree with you. If you are talking about a webapp (which also qualifies under the term "web site"), then you are wrong. Google Docs, amongst so many others, simply couldn't operate without JavaScript enabled
Re:I view this as a good thing (Score:4, Insightful)
I would be with you 100% if I felt that the Internet at large could be trusted. It can not.
Re: (Score:3)
"Yes, but those programmers are morons. Why legitimize their bizarre take on things? Most of the web works great without javascript, so disabling javascript is usually a safe thing for users to do."
The worst that can happen from disabling javascript is that incompetently coded sites will fail.
On the other hand *enabling* javascript opens you up to lovely drive-by infections, as well as many other, more subtle, dangers.