The Problem with Client-Side JavaScript

JavaScript is everywhere. It’s extremely rare now to find a web site that delivers pure HTML pages. Most include a large number of JavaScript files. The Miami Herald newspaper front page, for example, includes 10 JavaScript files.


I think this trend is bad for the web and here is why.

  1.  Security. JavaScript is not secure. It’s a basic tenet of security to avoid running untrusted code on your computer. Yet that is exactly what running JavaScript in your browser is. Just like Flash and just like Java applets. In fact JavaScript is worse. The US Government vulnerability database show what I mean.  As of August 2014, JavaScript vulnerabilities represented 49% of all web vulnerabilities (about 6,000). This is several times more than Flash and Java combined.vuln_trim
  2. Privacy. JavaScript is used to track you and for invasive marketing. It provides a great platform for spyware of all types. Offering unscrupulous people the ability to execute code on your machine is just a bad, bad idea.
  3. Breaks Basic Web Principles. The web is based on a few simple actions: links to pages (resources in technical jargon), back, and forward. It’s very simple and easy for everyone to understand. JavaScript breaks this. JavaScript brings things like infinite scrolling so forward and back don’t work. Good web design requires one link to one resource (page) and not a page made up multiple, independent resources created dynamically via user interaction.
  4. Fragility. JavaScript not only breaks basic web interactions, it also results in complex and fragile pages that often don’t work correctly. The men’s clothing site Bonobos is an example. It’s trying to be an application instead of a web page and the result is an overly complex site that, at least for me, almost never works. There are many, many examples of this. Their designers don’t seem to understand that the web is about documents, not applications. Good web sites are like pages in a book, not like Microsoft Office. Making sites like documents makes them simple and reliable, makes the browser work as expected, and make them secure. This means HTML only. All complex processing should be done on the server side.
  5. Mobile Device Problems: These complex, overly clever JavaScript applications don’t work well on mobile devices such as phone and tablets. As a result web sites frequently provide special mobile pages which may, but usually don’t, offer the same content and options as the main version. This could also be avoided by following basic web principles.

These are why I think JavaScript on the client is bad for the web in general. JavaScript based web applications can, of course, be very useful. When provided by trusted sites such your company intranet or a few select vendors, these applications make sense. But as the default for most web sites JavaScript is a disaster.

Categories: Security, Software

Share Your Ideas

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: