Home | Mail | Resume | Karsten M. Self

Mandatory Java/Javascript Considered Harmful

and don't even get me started on Flash

This is a standard rant on the subject of use of Java, Javascript, and Flash in websites. It's usually sent to (or pointed at) in complaints to websites which not only use these features (not so bad of itself), but require them. Now posted for general edification.


Your website uses one or more of the Java and/or Javascript, including possibly for such basic functionality as hyperlink anchors or page presentation. This is poor design and renders the site useless under commonly used browsers and configurations. Even where security isn't compromised, it's a sad but true fact that browser stability often is. Consequently I will not browse arbitrary sites with Javascript enabled.

A more recent annoyance is Macromedia Flash. While security issues appear less severe than with Javascript, the core issue is accessbility. Users lacking Flash support, using text-only browsers, or alternative browsing devices (including handheld and portable computers) are blocked out of your site. Jakob Nielson, Web usability guru, concludes that Flash is 99% bad, leading to several very poor usability practices. At the very least, provide a "Non-flash" entrance to your website, otherwise your visitors will see nothing but a blank page.

Stanford University's Computer Security Office whitepaper on the Javascript:

http://www.stanford.edu/~dbrumley/Docs/javascript.htm

Both Java and Javascript are known sources of a number of security holes and attacks on web browsers. A recent spectacular example allows your computer to be taken over as a webserver, serving up local content for the entire Internet to receive: http://www.pchell.com/virus/brownorifice.shtml.

A good summary of risks of Java and Javascript has been written by Lincoln Stein, and is hosted at the W3 Consortium's website: http://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q8.

Note in particular the prime characteristic of a distributed computing model based on Java (and Javascript):

Java [and Javascript] scripts, because they execute on the browser's side of the connection instead of on the server's, move the security risk squarely from the server to the client.

....

Javascript also has a troubling history of security holes. Unlike the Java holes, which potentially can change data on the user's disk, Javascript holes generally involve infringements on the user's privacy. Although many bugs have been closed, others keep popping up.

Though there is probably little risk to your website from use of Java or Javascript (these are client-side, not server-side tools), you are creating an insecure environment for your users by requiring them to use these inherently insecure facilities.

Notable exploits:

You might also try searching "Javascript exploits" and "Javascript bugs" in a major search engine sometime:

http://www.google.com/search?q=javascript+exploits
http://www.google.com/search?q=javascript+bugs
http://www.google.com/search?q=javascript+security

...or go through the CERT and BugTraq archives.

http://search.cert.org/
http://www.securityportal.com/list-archive/bugtraq/

Javascript is a nonstandard extension, not supported by all browsers, and in particular not supported by text-based browsers, handheld and PDA devices. It may raise ADA (American Disability Act) compliance issues by being incompatible with common text-to-speech software.

http://www.libertyresources.org/news/news_22.html

Even where it is not a particular risk, because Java and Javascript greatly reduce stability and usability of a number of browsers, they can contribute to problems when a browser fails during a transaction or other process.

Hyperlinks are an HTML feature already more than adequately supported via HTML anchor (<a href="URL">) tags.

If you insist on adding chrome to your site, do yourself the favor of not disabling core functionality in the process.


Copyright © 1999-2001, Karsten M. Self kmself@ix.netcom.com.
Last updated: 2004/04/11 22:29:00