Stop pushing JavaScript!

Posted on 2019-07-02. Last updated on 2019-09-19.
Frontend developers are pushing JavaScript as though the web could not function without it. The fact is that JavaScript is one of the top reasons for security breaches on the client computer and client mobile phones, it is a plague that turns privacy into a public exhibition, and it has paralyzed the industry in such a way that you can hardly find a website that doesn't display "the white screen of death" if JavaScript has been disabled in the browser.

I'm gonna say it straight out: Frontend developers are breaking the Internet! They have been stricken with some kind of mass psychosis in which even the least amount of independent thinking has become so hard that you think you're dealing with a zombie. It doesn't even qualify as a form of blind following, because nobody is leading. It rather looks like everyone is running around frenzied.

If you're pushing JavaScript as a dependency for your website to function, you'd better be serving some pretty amazing and special content, otherwise your website is just plain broken!

I have worked as both backend and frontend developer since 1998 and I have never once made a web application depend upon JavaScript. This goes for web shops, blog systems, large CMS installations, as well as Intranet administration utilities, and much more. In situations where I have been hired as a consultant to an existing team, the first thing I have done was to remove any dependency on JavaScript.

Not once has a client ever experienced a problem with his web application as a result, rather on the contrary. Removing JavaScript makes the application load much faster, removes multiple security related attack vectors, and greatly improves customer privacy concerns and usability.

If you know what you're doing you can simulate much of the improved UI experience that JavaScript can provide using only backend technology. The much improved performance, security, and privacy far exceed whatever loss of JavaScript capabilities you might experience.

The problem resides with websites that by nature doesn't require any form of JavaScript in order to serve the content they are serving. And the fact of the matter is that the majority of frontend developers aren't developing applications for niche markets with specific JavaScript requirements, rather they are developing regular websites, applications that in the end are just plain simple HTML. You do remember what plain HTML is right?

Even most niche products that in nature perhaps do require some amount of JavaScript could often still be somewhat useful had they at least been build opt-in rather than not function at all.

Also, have you ever seen how a blind person uses the Internet? If not you need to have this demonstrated! Especially if you're a frontend developer. You might think that blind people who use the Internet are a minority, but the fact of the matter is that it doesn't matter how many people with disabilities use the Internet, the Internet is for everybody, and when websites are properly designed and coded, people with disabilities can use them. Currently most websites are developed without the least concern for accessibility which makes them difficult or impossible for some people to use and the way JavaScript is being used is a very big part of that problem.

Websites that create barriers for people with disabilities are generally just badly designed. Making websites accessible benefits individuals, businesses, and society. And you, as a frontend developer, must understand that it is part of your responsibility to make sure that your web application contains as few barriers as possible. If you don't do that, then why are you doing frontend development in the first place?

Web development is not about how to make the work fast and easy for the "lazy" frontend developer who long since has forgotten how to manually do anything and as a result no longer knows or understands how to put a simple website together without the use of a barrier producing framework or technology.

The optimal solution will always be to make sure that basic functionality works without JavaScript.

Another point worth mentioning is that more and more people disable JavaScript uncompromisingly, using extensions such as NoScript, due to very valid security concerns. If a website isn't working without JavaScript it is loosing potential visitors and customers on a regular basis. If you only use a JavaScript based statistics system, such as Googles Analytics, then you won't even see the problem. You need to look into the statistics running on the backend such as the webserver logs to see how many visitors that visit your website without JavaScript enabled.

Security issues from third party JavaScript widgets and JavaScript libraries are vulnerable aspects of JavaScript that is actively exploited on a massive scale. Security issues in browsers, such as CVE-2019-11707 and CVE-2019-11708, are highly critical issues that are completely mitigated if JavaScript is disabled or removed completely. CVE-2019-11707 is a type confusion vulnerability in Mozilla Firefox that can result in an exploitable crash due to issues in Array.pop which can occur when manipulating JavaScript objects. CVE-2019-11708 is a sandbox escape vulnerability in Prompt:Open Inter-process communication (IPC) messages due to insufficient vetting of parameters. An attacker can exploit this vulnerability to cause a non-sandboxed parent process to open web content from a compromised child process using a specially crafted Prompt:Open IPC message between the child and parent process. Combining CVE-2019-11708 and CVE-2019-11707 can result in arbitrary code execution.

JavaScript in the client is not a necessary evil. It is a tool that with great and meticulous care can improve the user experience to a certain degree in some unique situations, but if you are making your regular and non-unique web application depend upon JavaScript, then that is a clear sign that you are doing something very wrong.

Stop pushing JavaScript as a dependency just to make a regular and stupid website run!