Stop pushing JavaScript!

Posted on 2019-07-02.
Frontend developers are pushing JavaScript as though the web could not function without it. The fact is that JavaScript is one of the top reasons for security breaches on the client computer and client mobile phones, it is a plague that turns privacy into a public exhibition, and it has paralyzed the industry in such a way that you can hardly find a website that doesn't display "the white screen of death" if JavaScript has been disabled in the browser.

I'm gonna say it straight out: Frontend developers are breaking the Internet! They have been stricken with some kind of mass psychosis in which even the least amount of independent thinking has become so hard that you think you're dealing with a zombie. It doesn't even qualify as a form of blind following, because nobody is leading. It rather looks like everyone is running around frenzied.

If you're pushing JavaScript as a dependency for your website to function, you'd better be serving some pretty amazing and special content, otherwise your website is just plain broken!

I have worked as both backend and frontend developer since 1998 and I have never once made a web application depend upon JavaScript. This goes for web shops, blog systems, large CMS installations, as well as backend administration utilities, and much more. In situations where I have been hired as a consultant to an existing team, the first thing I have done was to remove any dependency on JavaScript.

Not once has a client ever experienced a problem with his web application as a result, rather on the contrary. Removing JavaScript makes the application load much faster, removes multiple security related attack vectors, and greatly improves customer privacy concerns and usability.

Perhaps one of the reasons why frontend developers has become such a hazard to the web is because they don't understand the backend. Once you combine backend and frontend development into a single trait, you get to understand both in depth and detail.

If you know what you're doing you can simulate much of the improved UI experience that JavaScript can provide using only backend technology. The much improved performance, security, and privacy far exceed whatever loss of AJAX capabilities you might experience.

Some types of applications cannot be build without using scripting capability on the user agent, applications like browser based chat engines etc, but such applications belongs to a unique area that perhaps never even should have migrated to the browser in the first place, further more those types of unique applications are hardly what most websites are running.

No, the problem resides with websites that by nature doesn't require any form of JavaScript in order to serve the content they are serving. And the fact of the matter is that the majority of frontend developers aren't developing applications for niche markets with such requirements in the first place, rather they are developing regular websites, web shops, content management applications, and other similar applications, all applications that in the end are just plain simple HTML. You do remember what plain HTML is right?

Then again even most of those niche products that in nature perhaps do require some amount of JavaScript could often still be somewhat useful had they at least been build opt-in rather than not function at all.

Security issues from third party JavaScript widgets and JavaScript libraries are vulnerable aspects of JavaScript that is actively exploited on a massive scale. Security issues in browsers, such as CVE-2019-11707 and CVE-2019-11708, are highly critical issues that are completely mitigated if JavaScript is disabled or removed completely. CVE-2019-11707 is a type confusion vulnerability in Mozilla Firefox that can result in an exploitable crash due to issues in Array.pop which can occur when manipulating JavaScript objects. CVE-2019-11708 is a sandbox escape vulnerability in Prompt:Open Inter-process communication (IPC) messages due to insufficient vetting of parameters. An attacker can exploit this vulnerability to cause a non-sandboxed parent process to open web content from a compromised child process using a specially crafted Prompt:Open IPC message between the child and parent process. Combining CVE-2019-11708 and CVE-2019-11707 can result in arbitrary code execution.

JavaScript in the client is not a necessary evil! It is a tool that with great and meticulous care can improve the user experience to a certain degree in some unique situations, but if you are making your regular and non-unique web application depend upon JavaScript, then that is a clear sign that you are doing something very wrong.

Stop pushing JavaScript as a dependency just to make a regular and stupid website run!