Stop pushing JavaScript!

Published on 2019-07-02. Modified on 2019-09-19.

Front-end developers are pushing JavaScript as though the web could not function without it. The fact is that JavaScript is one of the top reasons for security breaches on the client computer and client mobile phones, it is a plague that turns privacy into a public exhibition, and it has paralyzed the industry in such a way that you can hardly find a website that doesn't display "the white screen of death" if JavaScript has been disabled in the browser.

Please don't be offended if you are a front-end developer, but I am not going to sugarcoat it. Front-end developers are breaking the Internet! They have been stricken with some kind of mass psychosis in which even the least amount of independent thinking has become so hard that you think you're dealing with a zombie. It doesn't even qualify as a form of blind following, because nobody is leading. It rather looks like everyone is running around frenzied.

If you're pushing JavaScript as a dependency for your website to function, you'd better be serving some pretty amazing and special content, otherwise your website is just plain broken!

I have worked as both back-end and front-end developer since 1998 and I have never once made a web application depend upon JavaScript. This goes for websites, webshops, blogging systems, content management systems, as well as Intranet administration utilities, and much more. When I have been hired as a consultant to an existing team, the first thing I have done was to remove any unnecessary dependency on JavaScript.

Not once has a client ever experienced a problem with his web application as a result, rather on the contrary. Removing JavaScript makes the application load much faster, removes multiple security related attack vectors, and greatly improves customer privacy concerns and usability.

The problem resides with websites that by nature doesn't require any form of JavaScript in order to serve the content they are serving. And the fact of the matter is that the majority of front-end developers aren't developing applications for niche markets with specific JavaScript requirements, rather they are developing regular websites, applications that in the end are just plain simple HTML and CSS.

Even most niche products that in nature perhaps do require some amount of JavaScript could often still be somewhat useful had they at least been build opt-in rather than have JavaScript as a core dependency.

Also, have you ever seen how a blind person uses the Internet?

If you haven't, you need to have this demonstrated. Especially if you're a front-end developer.

You might believe that blind people who use the Internet are just a minority and you don't need to care about them, but that's just wrong. Many blind people depend heavily on the Internet on a day-to-day basis for a lot of stuff. And the fact of the matter is that it doesn't matter how many people with disabilities use the Internet, the Internet is for everyone, not just the people you deem worthy.

When websites are properly designed and coded, blind people and people with other disabilities can use them.

Currently most websites are developed without the least concern for accessibility which makes them difficult or impossible for some people to use and the way JavaScript is being used is a very big part of that problem.

Websites that create barriers for people with disabilities are generally just badly designed.

Making websites accessible benefits individuals, businesses, and society. And you, as a front-end developer, must understand that it is part of your responsibility to make sure that your web application contains as few barriers as possible.

If you don't do that, then why are you even doing front-end development in the first place?

Web development is not about how to make the work fast and easy for the "lazy" front-end developer who long since has forgotten how to manually do anything and as a result no longer knows or understands how to put a simple website together without the use of a barrier producing framework or technology.

The optimal solution will always be to make sure that basic functionality works without JavaScript.

Another point worth mentioning is that more and more people disable JavaScript uncompromisingly, using extensions such as NoScript, due to very valid security concerns. If a website isn't working without JavaScript it is loosing potential visitors and customers on a regular basis. If you only use a JavaScript based statistics system, such as Googles Analytics, then you won't even see the problem. You need to look into the statistics running on the back-end such as the webserver logs to see how many visitors that visit your website without JavaScript enabled.

Security issues from third party JavaScript widgets and JavaScript libraries are vulnerable aspects of JavaScript that is actively exploited on a massive scale. Security issues in browsers, such as CVE-2019-11707 and CVE-2019-11708, are highly critical issues that are completely mitigated if JavaScript is disabled or removed completely. CVE-2019-11707 is a type confusion vulnerability in Mozilla Firefox that can result in an exploitable crash due to issues in Array.pop which can occur when manipulating JavaScript objects. CVE-2019-11708 is a sandbox escape vulnerability in Prompt:Open Inter-process communication (IPC) messages due to insufficient vetting of parameters. An attacker can exploit this vulnerability to cause a non-sandboxed parent process to open web content from a compromised child process using a specially crafted Prompt:Open IPC message between the child and parent process. Combining CVE-2019-11708 and CVE-2019-11707 can result in arbitrary code execution.

JavaScript in the client is not a necessary evil. It is a tool that - with great and meticulous care - can improve the user experience to a certain degree in some situations, but if you are making your regular and non-unique web application depend upon JavaScript, then that is a clear sign that you don't know what you are doing and you should be doing something else.

Stop pushing JavaScript as a dependency just to make a regular and stupid website run!