Back to Top

Sunday, December 03, 2006

What you don't need javascript for

With all this Web 2.0 craze people start assuming that we all have javascript. I have a message for those people: you can have forms without javascript. I know that all those fading and stuff is cool, but if you use the standards more people can use it.

Example (I don't mean to pick on anybody, this is just one example I know of): the guys over at the F-Secure blog started using some service for creating polls. Now for their polls to work you have to enable javascript from two sources: from pollmonkey (because they give you a script to include in your page) and from the originating page (because you have to activate the script). To give you a better idea, here is a direct code snippet from their site:

<script src="http://www.pollmonkey.com/s.asp?c=53753826&u=2619733987"></script> <script language=javascript>DisplayVote33987();</script>

Because this is embedded on the F-Secure page, you have to allow script execution from both the pollmonkey website (for the included script to work) and from the F-Secure domain for the initialization code to execute. While javascript is one of the easiest techniques to use in this case (using iframes for example would mean to play around with the size), there is no need for the embedding site to call the initialization script, it can be done directly in the included script file.

They aren't the only culprits, other well known examples include Google (with their Google Analytics / Urchin tracking code) and Digg (with their code which displays the number of diggs for a given article)

An other bad example would be Zoomerang. They claim 70+ Fortune 100 clients and other similar things. Even with this much money, they created a system which not only is based entirely on javascript (even though you can style forms entirely with CSS), but it also doesn't give any warnings about the fact that you don't have it activated. Arguably you would know if you disabled javascript, but even so it would be nice to get a warning.

The conclusion, if any, is the fact that managers (who buy the services of these sites) mostly have no idea about the real quality of service they are getting. While in some cases it may be reasonable for them not be an expert in the respective domain, they should at least ask an independent party who can accurately evaluate the service for them. But this is the topic for an other rant...

PS. If you are interested in building better forms, go listen to episode 41 of the boagworld.com podcast.

3 comments:

  1. Anonymous10:31 PM

    Hi,

    I'm glad to see someone else taking this seriously at last, as i've been trying to get the message across to people for several years !

    ActiveX/Scripting/iframes and other exploitable code should have been excluded from websites a Long time ago. Quite why new ones are still being designed with such code is beyond belief in 2k6 !

    If website owners/operators havn't heard about ALL the exploits and Malware that has been downloaded into peoples PC's over the years, due to having this code on their www's, then they must be asleep at the wheel. It's up to them to INSIST that security comes first over and above Everything else, and to make sure the web designers carry out their requests. After all they are paying them the $.

    For example, i can log into most forums, submit/post messages on these and in web pages, download/upload files post images etc, play online sound and video, etc etc. All this and much more is possible without any of the above insecure options. So that means people would be able to Disable those active controls, and be able to stay online much more safely. Of course some people, completely missing the point, will say use a different browser. Well you won't need to if websites didn't have this code in them, plus because so many do, a browser other than IE and the like, won't always work. There is actually NO need for ANY email service to require ANY active content, if they Chose to code it more safely that way.

    Even without using unsafe code, sites can still be Very interactive/pretty etc etc. A nice alternative is to design www's with CSS, as it's far superior and safer too. Thankfully i've noticed more www's now doing this, and one good example is Steve Gibsons - www.grc.com -

    It's about time those in the industry who should and could be doing somethings about all this, start doing so ASAP. Better late than never, and the sooner they begin the quicker the amount of Malware entering poeples PC's will reduce dramatically.

    Spanner

    SpannerITWks

    ReplyDelete
  2. Thank you.

    Did you ever think about starting your own blog?

    ReplyDelete
  3. Anonymous3:15 PM

    Steve Gibsons site is quite unattractive. A bit of Flash would be nice.

    ReplyDelete