Dude, you browse with JavaScript on?

Avatar of Chris Coyier
Chris Coyier on

Dude, you browse with JavaScript on?

Uhm, yeah, why wouldn’t I?

It’s totally insecure. Hackers could destroy your computer.

Hackers? What is this 1995? And, no they can’t.

They can definitely steal information about you without you knowing.

Like what?

Like you’re address book information or your browsing history, depending on your browser and settings.

So if I were to visit some dark corner of the internet where people ran malicious scripts like this, people might be able to capture that my name is Bob and I live at 123 Maple Drive Mayberry, NC? And that sometimes I look at boobs at The Daily Niner?

Yes.

But I don’t use autofill on my forms at the browser level, they can’t. What about you? Isn’t like every single website you visit seemingly broken?

Well good websites are coded to work fine without JavaScript, and I can selectively enable sites I trust to allow it.

That sounds like a lot of work to maintain a whitelist manually. And it’s not like you do a security audit of each site before whitelisting it right? You just decide to trust it, basically because you want to look at and use that website right now and JavaScript is the only way.

Yes but I’m much more likely to enable it on a big businesses website than some random blog. Look, I’m not alone here, millions of people have downloaded the NoScript plugin for Firefox alone.

I see that. Here’s some empirical evidence for you though. I’ve never once blocked JavaScript on any of the browsers I’ve used. I browse around all day with little regard to my trust level of the current website. In general my trust level is actually fairly low. I know a lot of sites I visit are hosted on shared hosting by folks like me who aren’t security gurus. I’ve had my websites hacked before on the server-level (nothing to do with JavaScript), which then inserted malicious JavaScript into my pages. I’m sure this has happened to many of those other sites I visit. Sometimes that JavaScript stores weird cookie data or redirects the website. Totally sucky and undesirable, but nothing that serious has ever happened to the point where I even consider just turning off JavaScript. I’ve never lost sensitive data or gotten spyware or anything like that.

Are you sure? Have you ever had weird charges on a credit card you’ve had to refute?

Well yeah.

Do you know exactly how that information was stolen from you?

No I don’t, but I doubt it was JavaScript.

Doubt… Trust… two sides of the same coin.

Here’s another reason I browse with JavaScript on. I like JavaScript. I write JavaScript. It does cool stuff and I like to see how other people use it. So I’m biased in that regard. As a web designer and developer, I don’t like hearing how many people browse with JavaScript off. I want that to go away. I don’t want to create gracefully degrading websites because it’s often twice the work and only for accommodating people with outdated concerns about this technology. And don’t tell me all about accessibility, I hear that most screen readers handle JavaScript just fine.

A site that works well without JavaScript also means it also likely has good architecture. It works great alone, and JavaScript adds to the user experience as needed. Relying on JavaScript entirely is just lazy.

You see it as lazy I see it as the future. So what about Flash, do you block that too?

No, I love Flash.

I knew I didn’t like you. You’re probably a PC guy too huh?

Dude, we’re not going there.