Did JavaScript wipe out the dinosaurs?

Imagine, a very dangerous vulnerability is discovered in Javascript, and people have to turn it off in the browser (via configuration or plugin). This could come from a pimply hacker having fun or part of a multi-front cyberwar attack.

Imagine, a very dangerous vulnerability is discovered in Javascript, and people have to turn it off in the browser (via configuration or plugin). This could come from a pimply hacker having fun or part of a multi-front cyberwar attack.

Scenario
What if this lasts a few days? Are your customers not able to use your site or web app? Imagine the loss of GDP as commerce grinds to a halt, the empty stares as people can no longer play games or chit chat online, if families financial resources are not available. And so forth.

Yes, this is exaggeration. No company would make their web sites non-accessible if JavaScript is not available, right? Unfortunately, there probably are a few. Certainly many social web sites would not seem so social if they could not provide the features they do.

Why JavaScript?
This is understandable. JavaScript is a great language and it enables highly interactive web applications. No longer do web pages have to be “paged” in or out, since with technologies such as AJAX, fine-grained architectures are possible. Validation, more focused forms, and easier to use applications are all powered by the evolving “2.0” web stack.

Other reasons for disabling Javascript
The problem is not only limited to the opening scenario. There are a myriad of reasons why someone may disable JavaScript. In a discussion of “Hash URIs”, we find this:

º users who have chosen to turn off Javascript because:
    – they have bandwidth limitations
    – they have security concerns
    – they want a calmer browser experience
º clients that don’t support Javascript at all such as:
    – search engines
    – screen scrapers
º clients that have buggy Javascript implementations that you might not have accounted for such as:
    – older browsers
    – some mobile clients

The most recent statistic I could find, about access to the Yahoo home page indicates that up to 2% of access is from users without Javascript (they excluded search engines). According to a recent survey, about the same percentage of screen reader users have Javascript turned off.

This is a low percentage, but if you have large numbers of visitors it adds up. The site that I care most about, legislation.gov.uk, has over 60,000 human visitors a day, which means that about 1,200 of them will be visiting without Javascript. If our content were completely inaccessible to them we’d be inconveniencing a large number of users.

— “Hash URIs“, Jeni Tennison.

Solution
While I don’t think 100% fallback to non-JavaScript web pages is possible or desirable, companies should be aware of the possible threats. Thus, every site or web app should have a minimum set of functionality exposed via non-scripted pure HTML (and CSS?). For example, in a financial resource, a customer should be able to query their balance without all the fancy script tricks; “just the facts ma’am”.

When to use JavaScript
Jakob Nielsen gives a good starting point for how much web 2.0 (which is enabled by JavaScript) should be used in various types of sites:

As an extremely rough guideline, here’s the percentage of Web 2.0 infusion that might benefit different types of user experience:

Informational/Marketing website (whether corporate, government, or non-profit): 10%
E-commerce site: 20%
Media site: 30%
Intranets: 40%
Applications: 50%

— http://www.useit.com/alertbox/web-2.html

Further Reading
Web 2.0 ‘neglecting good design’

Cyberwarfare

Hash URIs

Hacker group vows ‘cyberwar’ on US government, business

Walking in others shoes: Turn JavaScript off for a day

AJAX Vulnerabilities: How Big the Threat?

Web 2.0 Can Be Dangerous…

BlackBerry users urged to disable Javascript after web browsing vulnerability revealed

Apple Safari window object invalid pointer vulnerability

Leave a Reply

Your email address will not be published. Required fields are marked *