Reasons for Disabling JavaScript when Reading the Web

created Aug 9, 2018

Good reasons were provided by this 2010-2011 comment. The reasons still apply to me in 2018.

https://softwareengineering.stackexchange.com/questions/26179/why-do-people-disable-javascript

Some excerpts from the lengthy comment.

One disables JavaScript in a browser environment because of the following considerations:

Speed & Bandwidth
Usability & Accessibility
Platform Support
Security

Speed & Bandwidth

A lot of applications use way too much JavaScript for their own good... Do you need parts of your interface to be refreshed by AJAX calls all the time? Maybe your interface feels great and fast when used with a broadband connection, but when you have to downgrade to slower connection speeds, a more streamlined interface is preferred. And switching off JavaScript is a good way of preventing dumb-struck web-apps of refreshing the world every 15 seconds or so for no good reason. (Ever looked at the amount of data Facebook sends through? It's scary. It's not only a JS-related issue though, but it's part of it).

We also tend to off-load more and more of the processing to the client, and if you use minimalistic (or just outdated) hardware, it's painfully slow.

Usability & Accessibility

Not all user interfaces should expressed in a dynamic fashion, and server-generated content might be perfectly acceptable in many cases. Plus, some people simply don't want this type of interfaces. You cannot please everybody, but sometimes you have the chance to and the duty to satisfy all your users alike.

Finally, some users have disabilities, and thou shalt not ignore them, ever!!!

Not everybody lives in a perfect world.

Security

While obviously you could think that nothing particularly dangerous can be done with JavaScript considering it runs in a browser environment, this is totally untrue.

All this being said, there might be perfectly good situations where you don't need to bother about supporting JavaScript. But if you offer a public-service website, do consider accepting both types of clients. Personally, I do think a lot of modern web-apps and websites would work just as well using the former server-generated content model with no JavaScript at all on the client side, and it would still be great and possibly a lot less consuming.

JavaScript is mostly harmless... if you use it for trusted websites. Gmail. Facebook (maybe... and not even...). Google Reader. StackExchange.

But yeah sure, JavaScript cannot be that bad, right? And there are scarier things to fear online anyway. Like thinking you're anonymous when you really aren't that much, as shown by the Panopticlick experiment of the EFF. Which is also partly done using JavaScript. You can even read their reasons to disable JavaScript to avoid browser fingerprinting.

September 2018

My main email accounts exist at Fastmail, Gmail, and Riseup.net. Eventually, I would like to rid myself of all Google products.

Occasionally, Riseup sends a newsletter. This week's version contained this link.

https://riseup.net/better-web-browsing

JavaScript is essential for most websites these days, but there are times when you may wish to disable it. When JavaScript is enabled, it is much easier for a website to fingerprint your browser and track your behavior. Also, most browser security vulnerabilities are caused by JavaScript.

November 2018

This is not about a browsing-only user reading a website. It's not about being logged into a web app to perform work at the admin console or dashboard. This is about the login page or process.

Many websites require JavaScript to enter text into a text input field to conduct a search. And increasingly, websites, especially the large services, require JavaScript during the login process.

Google requires JavaScript to login. Once logged in, Gmail can be used without JavaScript.

Google's reason for requiring JavaScript to login is to prevent bots from logging in for nefarious reasons.

Webpagetest.org requires JavaScript to use its HTML forms. It also uses captcha to verify that a human is running the test and not an automated script.

Preventing bots from successfully completing POST requests for HTML forms seems like a good reason to require JavaScript. Skeptics, however, believe that it's a convenient excuse for Google.

For security reasons, Google requires JavaScript for logging in. Security concerns is why I disable JavaScript much of the time.

HN comment by a former Google employee:

Firstly, this isn't some weird ploy to boost ad revenue. This is the login page - users are typing in a long term stable identifier already! The Javascripts they are requiring here are designed to detect tools, not people. All mass account hijacking attacks rely on bots that either emulate or automate web browsers, and Google has a technology that has proven quite effective at detecting these tools. There's a little bit of info on how it works scattered around the internet, but none of the explanations are even remotely complete, and they're all years old now too. Suffice it to say: no JS = no bot signals.

Another HN comment:

To keep your account secure, turn on Javascript?? If anything is making your web browsing less secure, it's JS.

From the Google blog post:

... because it may save bandwidth or help pages load more quickly, a tiny minority of our users (0.1%) choose to keep it off.

Disabling JavaScript may help? No. It DOES help pages load more quickly. It DOES save bandwidth. When a single web page requires two megabytes or more of JavaScript, and that's blocked from being downloaded, then that's a lot of bandwidth that has been saved. Pages without JavaScript load nearly instantly, instead of taking several seconds or nearly a minute or more to load completely.

Google KNOWS that disabling JavaScript DOES help pages load faster. It's one reason why Google created Accelerated Mobile Pages.

More from the Google blog post about us 0.1-percenters.

This might make sense if you are reading static content, but we recommend that you keep Javascript on while signing into your Google Account so we can better protect you.

If I need Google to protect me, then I'm lost.

HN reply comment about Google discussing the 0.1-percenters and why Google requires JavaScript during the login process.

They don’t seem to explain why though? Did I miss it? Are they fingerprinting the JavaScript environment of my browser? Why? The 0.1% are the people who would like to know why they need it, but this message is written ironically for those who don’t know what JavaScript is.

HN comment:

Additionally they imply the only motivation for disabling JavaScript is to increase performance and decrease bandwidth. They conveniently don’t mention the other, arguably more prevalent motivations: to increase privacy and security.

HN comment:

I disable JS mostly because I hate being tracked and noticed that many (most?) browser exploits require JS to run.

HN comment:

...and speed, and decreasing the amount of arbitrary code execution on your machine.

A legitimately cynical HN comment:

It is so difficult to explore anything that Google announces without passing it through the lens shaded by their ad business model. It doesn't matter with what intention they implement a change or if those intentions are pure.


Nov 29, 2018

"Major sites running unauthenticated JavaScript on their payment pages (shkspr.mobi)"

https://shkspr.mobi/blog/2018/11/major-sites-running-unauthenticated-javascript-on-their-payment-pages/

https://news.ycombinator.com/item?id=18559786

HN comment:

It would be a good idea for Chrome to display an alert similar to the non-HTTPS resource loading if integrity checks are not present for externally loaded scripts.

The danger of serving external JS without integrity check its is very similar to having non-HTTPS connections in your website.

HN comment:

It's for reasons like this that I recommend uMatrix for Firefox [0] and Chrome [1]. It's default function is to block scripts that don't belong to the root domain of the site you're visiting, and you can whitelist 3rd-Party domains by asset type on the fly from a dialogue.

It's really handy for eliminating dodgy dependencies, and it doesn't break half as many sites as NoScript.

In 2018, I have used uMatrix in Chrome and Firefox. But I also like to use browsers, such as Lynx, NetSurf, and links2 -g, which do not support JavaScript.

HN reply to the comment above:

uMatrix is great because it doesn't just block scripts. You can block iframes, images, etc... You can also turn off stuff like webworkers. It's not perfect (I've noticed a few holes around how it manages cookies, for example), but it's really good.

Removing scripts is nice, but if you're trying to prevent obscure attacks[0] or even common tracking techniques from 3rd-party sites, it's not enough. People look at Javascript like it's the primary insecurity on the web; in reality any time you can conditionally make a request to a server for any reason from anywhere, that's a vulnerability.

So with uMatrix you don't just get the ability to say, "don't run scripts", you get the ability to conditionally and granularly blacklist/whitelist domains themselves.

https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense

A media website, like the Toledo Blade newspaper, should provide a security and privacy audit report every month to inform readers, especially subscribers, why the Blade's website needs to make hundreds of web requests to display a single web page.

This is a Blade editorial that contained under 700 words, along with one pointless stock photo.

https://www.webpagetest.org/result/181129_RD_9c78ddc4a1b12057c8f5f64f3fbe15e2/
https://www.toledoblade.com/opinion/editorials/2018/11/29/national-interest-national-values/stories/20181128156
From: Dulles, VA - Chrome - Cable
11/29/2018, 9:46:55 AM
Time: 15.854 seconds
Requests: 530
Bytes In: 3,376 KB

530 web requests!!!???

3.3 megabytes downloaded to read 650 words!!!???

1.6 megabytes of the download were for JavaScript.

77 web requests were for JavaScript.

Due to the Blade's recent new web design, web pages are blank with JavaScript disabled, except for the navigation bar at the top of the site. The article body section does not exist when JavaScript is disabled. Loading the page into Lynx does not help.

The Blade's new web design uses a JavaScript single page application-like design. The article content is contained within JSON that exists within the web page. The Blade's new design focuses more on JSON and JavaScript, instead of sturdy, reliable HTML.

When viewing the above editorial with everything enabled in my web browser, my user experience is clunky, sluggish, and awkward. It's an atrocious web design, not worthy of funding.

But from a security standpoint, the Blade should explain why 530 web requests were needed to view a single web page.


Dec 11, 2018

"Malicious sites abuse 11-year-old Firefox bug that Mozilla failed to fix (zdnet.com)"

https://www.zdnet.com/article/malicious-sites-abuse-11-year-old-firefox-bug-that-mozilla-failed-to-fix/

https://news.ycombinator.com/item?id=18644573

HN comment:

Not to defend Mozilla's inability to prioritize, but ...

Isn't that a common issue across browsers? I know on iOS, I get burned by shady sites on Safari that do redirects and pop up a browser-level modal that somehow stops me from closing the tab until I turn off Javascript and restart the browser.

The fact that a modal could ever block my ability to close the tab was a hard mistake to make.

Another HN comment:

Why does nobody target the root cause?

The possibility to show popups and popovers in browsers should be removed completely. There are little to no legit uses for them. Even reputable websites use them only to nag and annoy their users.

And don't get me started about Javascript. This is a plague, that causes more problems than it solves.

Reply:

This is an absurd overreaction. Popovers are CSS. Just a positioned element. And both up-and-overs are "legitimately" used as modals in apps.

I don't know what the official term is for infuriating web design, but some "popovers", or as I like to call them "content obstructions", are created by JavaScript.

Some fixed header and footer nav areas disappear when JavaScript is disabled while others remain because those annoying fixed areas were created by 100 percent CSS. Same for content other types of obstructions, such as popovers.

The reply commenter said:

And both up-and-overs are "legitimately" used as modals in apps.

Apps. Okay. When I log into a website to do work from my account or admin console or dashboard, such as our bank's website or a tax preparation website, then I'm not bothered by an app-like UI/UX that is probably led by JavaScript.

But on websites where I don't login because I'm a browsing-only user, reading the websites for info, then I see no reason for the site to provide a native app-like experience. JavaScript is unnecessary. These websites can function like something from the mid-1990s. http://motherfuckingwebsite.com. I'll probably use the reader mode capability of the web browser that I'm using to read the web page. For these websites, the content should be the design.

When logged into our bank's website or a tax prep website, I'm not going to use my web browser's reader mode, since that would break the experience. For these app-like websites, I'm trying to do work and then move on.

Web apps are not the same as websites, in my opinion.

Another HN comment:

Yet another reason to use an extension like uMatrix to disallow javascript by default, and only allow the absolute minimum that sites you trust need to function.

I use uMatrix. On many websites that I read, I have uMatrix cranked up to the max, which blocks everything except the HTML text.

It's surprising how some HN users are ignorant about browser extensions.

... faster than the time you'd have spent managing JS exceptions ...

Not allowing JavaScript turns into a chore when you find out that websites break in non obvious ways. I do not want to manually enable/disable JavaScript when the browser is a means to an end for me.

It's pretty damn easy to manage JavaScript in Firefox and Chrome on my desktop and laptop computers. uMatrix requires only one or two clicks. I also use Quick JavaScript Switcher in Chrome, which makes disabling and enabling JavaScript for a website a one-click function.

How is one-click of the extension that's located on the browser's URL window bar a hardship? It's not.

Most websites that I read still allow me to read them with JavaScript disabled. The new ToledoBlade.com web design, however, does not function without JavaScript. But that's okay. Plenty of websites work without JavaScript, more than I can possibly read each day.

Good HN response:

... every time I'm forced to enable a new JavaScript source in uMatrix, I'm angered at the site which requires it. In some cases, I just don't even bother using such sites — why buy something from someone who respects neither me nor the Web enough to provide a usable site without tons of JavaScript?