Take the 2-minute tour ×
Programmers Stack Exchange is a question and answer site for professional programmers interested in conceptual questions about software development. It's 100% free, no registration required.

My company has been developing a site for a very large company. The site is now live, and it has received its fair share of hits. The site relies enough on JavaScript to make far less aesthetically pleasing to navigate, especially in older browsers. Their site is accessed by an amusing amount of 'security enthusiasts' who have, by default, disabled JavaScript in their browsers (the site targets accountants, and ironically, a large portion of these viewers' browsers reported severely outdated releases of ie as their useragent).

This means that several purely aesthetic portions of the site have to be hidden by default using noscript tags. In the largest of which, I would like to display a text block that explains the safety of having JavaScript enabled as of 2014. So far, I've come up with the following:

A message from the developer: We've noticed you've got JavaScript turned off. Modern websites are justifiably dependent on JavaScript, and in our opinion, as long as you keep your computer up-to-date with the latest security patches, use a modern operating system, anti-virus, browser and JavaScript interpreter, there's not much point in disabling a valuable browser feature such as JavaScript in the first place.

The thing is - I don't know how accurate I am in saying this. I would like to be as simplistic as possible in explaining this. I've read about things such as the recent NSA exploitation of JavaScript to determine the identity of TOR users, and I honestly can't understand why threats such as this should be an issue for the general public.

As far as my understanding goes, disabling JavaScript is a very serious security precaution - probably too strict for the general user. I don't have a particularly thorough understanding of the way JavaScript works, but it's my understanding that JavaScript runs in a sandbox environment, and can't easily be used to exploit files on a user's machine.

My question is this - just how secure is it for a viewer to have JavaScript enabled? I'm not concerned about SEO agents not being able to see JavaScript defined content. I'm specific in asking the dangers it poses to the general user beyond those of browsing the web in the first place.

I'd also like some help in wording a convincing paragraph on this. As a HTML5 and CSS developer, I consider JavaScript an invaluable asset for cross-compatibility and general functionality, and viewers with JavaScript disabled seems to cause an entire world of trouble and excess work for my team.

share|improve this question

closed as too broad by GrandmasterB, gbjbaanb, GlenH7, MichaelT, gnat Oct 6 '14 at 3:45

There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs. If this question can be reworded to fit the rules in the help center, please edit the question.

1  
Much of the web doesn't work with full features without javascript enabled. The wide majority of the public is perfectly fine with any security aspects of javascript being enabled and it enables a much more functional web. So, unless you are building a site that is targeted at the minor portion of users that runs with javascript off, ignore them. I would NOT try to find any wording that tries to convince them to turn javascript on as that element is doing what they want and you can't change their minds. Just tell them that they must have javascript enabled in order to use your web site. –  jfriend00 Oct 5 '14 at 4:34
    
Your question seems more suited for our sister site Information Security. Was there a particular reason you asked here? –  Bart van Ingen Schenau Oct 5 '14 at 7:34
1  
From what I read in your question you are developing a site that specifically targets people (accountants) who tend to work in large organizations and have no control over the version and the settings of their browsers, and you are telling them that they cannot use your site unless they change their settings, which they can't? IOW: you are developing a site for a target audience that will never be able to actually use your site? –  Jörg W Mittag Oct 5 '14 at 16:07

2 Answers 2

Disabling JavaScript is really just a security measure for most of those "security enthusiasts," and I wouldn't modify your development to support them. Sure, it can offer some benefits such as overall speed to access the site, but, in my opinion, it's not necessary to disable unless you have something to hide.

Just explain to them that in order to properly access the site and features of the site, JavaScript needs to be enabled. There's also ways to enable JavaScript to only function on certain websites and web pages. This might be an option for those who don't want to simply enable JavaScript completely.

share|improve this answer

I think the main reason those people disable JavaScript is not security per se but rather privacy. Face it, a page using less than a couple web analytics solutions is hard to come by these days. Whatever you're doing on the web, you leave some trace of it and the big players know your every step (not that you're personally significant to any of them).

Even so, blocking JavaScript entirely seems like an overreaction. There are ways to disable specific scripts or only allow specific websites to run JavaScript code.

I think your message is perfectly justified and I've used similar ones in some of the projects I've worked on. Especially if the website is highly dynamic and handles user input. For mostly static pages, it's more understandable to keep it simple, as shown on this simple, responsive page (warning, lots of f-words in there)

Ironically, even that page loads a Google analytics script.

share|improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.