New Trend - Limiting Scripting on Websites?

Posted: Sat Aug 12, 2006 5:14 pm

New information has surfaced that shows that Javascript can be used in malicious ways just as other types of scripting can.

I posted an interesting article on my website: [ Only registered users can see links on this board! Get registered or login! ]

Yes, Javascript will too turn to the darkside and could be used against you. The idea and proof of concept code is now available on the web and it's just a matter of time before hackers pick up on it.

A recent survey has shown that about 10% of users are now browsing the web without scripting turned on. This is increasing as we go.

So, webmasters....should we be more conscience about the hacks that we install? Should we really be filling our code up with fancy Javascript that may cripple our site in the near future for just about anybody who comes along?

Thoughts? Opinions?

Site Admin Joined: Jun 04, 2004 Posts: 6433

Be conscious if you will, but with AJAX (javascript) use on the rise, I think people will be more selective about the sites they visit rather than turn off javascript, and browsers will be better able to allow selective use of javascript on sites.

I also don't agree that users are turning off scripting. Which survey found 10%? What evidence supports the assertion that it's increasing? If it comes from a company offering to help you "secure your web applications," I'd have to question it.

Yes, yes, I know I need to change the forum boxover to support those who turn of scripting. But those in favor far outweigh the one who does not. It doesn't cripple the site (rather makes it as convenient as it is on other sites without it, but a little more annoying), and doesn't affect 99% of the visitors to the site at all (that's just an estimate, by the way, not based on an official "survey").

Posted: Sat Aug 12, 2006 7:57 pm

I have no "official" source on the survey. This was all brought to my attention through a podcast/lecture.

And I don't know what sites you surf, but I've been to MANY sites that are crippled without the use of scripting. Whether it's fancy hierarchical navigation systems that won't go past level one, or just Submit buttons that uses JS for error checking before the data gets sent. It's crippled and not fully functional. Most times I leave and go somewhere else instead of enabling scripting and lowering my security.

Posted: Sat Aug 12, 2006 8:07 pm

Quick example for you kguske:

I just turned off scripting for this site and here's the results:

Fancy Navigation Menu block - Dead
News Paging dropdown on front page - Dead
Forum Preview Block - Dead

That was just the index.php page. If it wasn't for the static links in the header, I would not have been able to get past the first page at all.

And posting this message, all the BBCode stuff is dead as well.

Still think it doesn't cripple most sites? Wink

Posted: Sat Aug 12, 2006 9:07 pm

I guess we have different definitions of cripple - after all, you were able to get past the first page, and you could type the bbcode by hand.

Yes, I still believe most users don't disable java script. I mean, if you are concerned about a site having malicious java script, why are you there in the first place?

It's like living in a house with bars on the windows to keep out the bad guys. What did YOU do to deserve to live in a prison? Living in a house with bars isn't really living...sort of like surfing with java script disabled...

Thanks for the doomsday predictions regarding the death of java script...I need to focus on the things that help my visitors have a better experience. I'll keep your advice in mind, but, at least for now, it won't be top priority.

Posted: Sun Aug 13, 2006 12:33 am

I completely agree, Alot of my sites content is javascript and I dont see anyone complaining.

This just means browsers will need to beef up javascript security(kinda the same thing theyve been asked to do for years) without sacrificing functionality.

Like kguske said, You would need to seriously question the results.
Now if you think javascript is the only form of security threat on the net to you as a visitor, fraid not.

Truth is, to secure a site to not grab information off your system is to keep your system offline.

Thats it, How do you think sites grab ips? The fact is, Javascript is not the only way to grab that information because that information is freely given by your system.
Your computer has to communicate with the server and the website itself, but what your askin is to view a site with non of your information being released, That cannot be done.

And therefore vulnerabilities will always exist as long as there are different pcs, operating systems, browsers, manufactures etc. etc.

When I first got online, I asked someone how can I secure my system from people who would grab my information and do bad things with it. Mind you this guy is a friend for years and I fully trusted him.

His response:
See that cord thats in the back of your computer?
me:yeah, which one?
him: The one that looks like a phone cord, it might not be a phone cord but itll look like one.
Me: ok got it.
him: unplug it!!!

Its the only way.

Truth is, how secure you are depends on what you want to do, malicious javascript wont be emplimented by any GOOD webmaster (intentionally). And with people like the people on this site, They will be well informed if they simply read.

Posted: Sun Aug 13, 2006 9:17 am

I posted this as an informational piece of news only and to hopefully start a real discussion or two about it. I did not expect somebody to dissect my post word for word, add their own words, and argue every bit of it.

However, I will stick to my terminology. I do believe that a site that is not fully functional is indeed crippled. There's 4 static links in the header out of 26 possible modules in the navigation menu. That's 15% functionality without scripting. Plus you are eluding to the fact that everybody who comes to our boards will know the exact syntax of BB Code. I don't think so. It's "crippled" and not fully functional. But this is a childish argument about exact definitions and I'm done with it.

I didn't write the above article. Nobody is telling me stuff that I don't already know about Internet Security. I'm paying almost $90,000 for a degree in Information System Security. I know how insecure everything is. From the application data right down to the packet level data before it gets put on the wire. Spare me all the security lessons. Laughing

Anyway, here is the latest news about the potential of Javascript in the future, do what you want with it. Wink

Posted: Sun Aug 13, 2006 9:42 am

It is an interesting discussion, though my "childish" response was joking along the lines of your previous "adult" response dissecting this site. Wink

Since I like to have facts before making decisions, I did a little research and found that at least one source believes that about 10% currently have javascript disabled. Note however, that you could compare January 2006 to January 2005 and show that the number of users that have javascript disabled actually decreased. Then, there is another site showing that only 6% have Javascript disabled.

Please also note the great quotes following those statistics:

Quote:

"First get your facts; then you can distort them at your leisure."
Mark Twain

"There are three kinds of lies: lies, d*** lies, and statistics."
Benjamin Disraeli

"Then there was the man who drowned crossing a stream with an average depth of six inches."
W. I. E. Gates

I'm not trying to teach you anything about security, and I hope you get your money's worth on that education (it was a LOT less than that in my day!). I'm simply saying that the benefits of js currently outweigh the costs of a) disabling it and b) modifying websites to degrade for non js support. Have a look:
[ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]

I do wish there was a better way to track those statistics for our own sites - since that would be of greatest use in helping us figure out how to proceed with the info you provided.

Posted: Sun Aug 13, 2006 10:23 am

I somewhat agree. I guess the answer will then be not removing javascript entirely from the sites, but just adding a "fallback system" to support non-scripting vistors.

I just thought it was a pretty interesting article and it did make me stop and think about all these js features I'm adding to my site. (just got done adding Raven's collapsible forums block)

I came across a nice hierarchical menuing system made completely with CSS. No other scripting at all:
[ Only registered users can see links on this board! Get registered or login! ]

Posted: Sun Aug 13, 2006 1:47 pm

I had no intentions of disecting, only trying to show a flaw in the general thinking all together.

As for the css.

css is kinda funny, IMO css is just another form of javascript without the complete functionality.

Its a good concept to have a fallback and for the most part, it works well, but youll find that not all browsers support the fallback options available so instead of having a little inconvenience of typing things in or javascript not working completely, Youll see browsers that completely die due to the fallback option.

I think this is why most sites have opted to just not create a fallback.
Its sad how things can turn malicious, but we can only do what we can with what we are given.

IMO if you look at javascript and php, Youll see almost identical syntax. Its funny how they seem to be so similar.

Posted: Sun Aug 13, 2006 2:09 pm

Doesn't CSS work in all browsers, with or without scripting? I guess that was the appeal for this menuing system.

I don't know. I wish I was fluent in CSS, PHP, and other webmastering languages, but I never stopped to fully learn them. If it weren't for this site and NSN, my code would be nothing but swiss cheese. Rolling Eyes

Posted: Sun Aug 13, 2006 2:29 pm

No css is not compatible with all browsers or settings.

For more information: [ Only registered users can see links on this board! Get registered or login! ]

Posted: Tue Aug 15, 2006 12:13 pm

This might help.

Posted: Wed Aug 16, 2006 5:46 am

Yeah, that's a very cool plug-in for Firefox. That's also how I run Internet Explorer. I keep all scripting disabled by default until I choose to enable them on a site by site basis.