Javascript-Enabled or Bust
Posted 7 months ago by jacques | 25 comments
After a recent deluge of blog spam, I went ahead and installed an interesting Rails plugin to my project called form-spam-protection. I was actually initially searching for a captcha plugin, but since I despise captchas on sites and wasn’t in the mood to integrate with the Akismet antispam web service, I jumped on the opportunity to try this thing out.
What the plugin does is tries to block spam seamlessly on your forms by using a little hackery on the backend. When an html form is displayed, it encodes a string via SHA1 on the server side. It then uses Hivelogic’s Enkoder to output a mess of javascript to the page, which on the client side, populates the form which via that javascript code, putting the key back together into a hidden field before the form submission. Then, on postback it validates the key with the one previously added to the session. For a more detailed explanation, click here.
Anyways, the thing seems to works great. But as you might be able to guess it’s got one big catch. One whose consequences may invoke rage in some certain individuals. Try turning off javascript and interacting with my site (submitting a comment, or logging in) and here’s what you might see.
Deeeeenied
Pleasant error message I’d say. But my question is, are we to the point where we can just say no to those folks who don’t have Javascript enabled? What year are these people living in anyways? Long ago we passed the point where we could safely give the finger to our non-cookie enabled users. Is it about that time to be A-OK with offering the same treatment for non-javascript users?
One interesting sidenote, despite my complete indifference to the pain and struggle of our less fortunate javascriptless citizens, I still agree wholeheartedly with the coding practice of using “unobtrusive” javascript. While I couldn’t care less about graceful degradation part, separating generated html from your javascript code does make things vastly more reusable and easier to manage during web development.
Feel free to complain about this in the comments. But if you don’t have javascript on, you won’t be able to post one anyways.
Yes, javascript is a required part of AJAX and so therefor a required part of Web 2.0. If you don't like javascript too bad.
I'm browsing with the NoScript extension and happily so. It keeps away a lot of annoyances of so-called modern web sites for me (Right now I have 6 domains permanently allowed to run Javascript).
I temporarily allowed your site just to post this comment but normally I'd just *not* comment if I'd have to do that. This was an exception because it's on-topic :-)
Update: Trying to post this comment showed me once more why bad use of Javascript is annoying. Your web site gave me the "You must have Javascript..." error message even though I *did* have it enabled. Guess I need to enable cookies too.
Another annoyance: Using back to go back to this page 'closed' the Add a Comment section again, I had to open it (and was worried it would have deleted thetext I entered before).
Summary: Don't do it.
Sorry, but I find this an extremely poor idea for at least three reasons. I could probably come up with more if I wasn't sleep-deprived.
* NoScript is a popular Firefox extension that blocks Javascript from all websites not on a whitelist. You shouldn't make NoScript users unblock your site for standard HTTP functionality like submitting a form; it should be reserved for more advanced functionality. Obfuscating the Javascript is only going to make NoScript users even more paranoid.
* Text-based and mobile browsers often don't have JavaScript support. Believe it or not, the former group of software is still used (though largely by Linux users having graphics issues).
* As security, it reminds me of DRM: it places the duty of protection in the hands of the enemy. This means that in the long term, it will be even less effective than CAPTCHAs. If this sort of spam protection becomes popular, spammers can simply integrate a JavaScript runtime like SpiderMonkey into their spiders (or even write a new spider as an extension to a web browser).
Feel free to email me if you'd like an argument.
As an argument to those with NoScript, you're the only users that would comment on this blog anyway. You downloaded NoScript knowing that you'd have to whitelist certain sites.
I fully agree with this strategy.
It's either a user that wouldn't comment on your blog in the first place, or it's a high-tech-security-freak-geek who has to take 5 seconds to add your site to their JS whitelist. :)
Daniel Fischer: So you think it is a good strategy to annoy those who you're targeting? Interesting.
BTW: This is my last comment here because I dislike sites who make me change my settings (enable cookies, temporarily allow JS). Now I'm certainly not a big loss for this site, I know :-)
Hey Chris. Thanks for taking the trouble to post. Much appreciated really! I'll go ahead and put your IP Address on a whitelist so you can post from now on without javascript enabled :-).
Why not have the javascript degrade gracefully into an accessible captcha? You may not like them, but I'm sure those without JS would prefer that to not being able to post at all.
Check out http://github.com/rsl/acts_as_snook/tree/master
"Why not have the javascript degrade gracefully into an accessible captcha?"
What he said.
I use Konqueror for my browser and your form doesn't seem to work. I guess that's another downside to javascript -- cross browser compatibility. Should it work in Konqueror? Safari? Firefox 1.5? 1.0? IE 5?
I imagine it depends on your audience. If your web site is all about the new web 2.0 JavaScript hotness, it seems fair enough to impose what you're preaching on the visitors.
In the past I used a text field called 'url' that was hidden via CSS. If someone put content in there, I assumed they were spam. It was surprising at the time how much that helped. Who knows if it still would.
All that said, I don't cry too much if I need to do something in JavaScript. People are grown-ups and it's just how the web is now. I'm sure most people understand it. I just make sure I really do need to do it in JavaScript and it is really adding something that only JS can add.
Web developers have their hands full enough dealing with cross-browser HTML/CSS compatibility. Honestly, when and where are we going to draw the line with this nonsense?
I know that one of the intrinsic benefits of the web is that you can access it from pretty much any networked device on this planet, but we've reached the point now where innovation is butting heads with client compatibility. I'm sorry, but we should be developing for functionality over cross-browser compatibility. Javascript brings so much to the table and allows hardcore web-apps to truly bridge the gap between web 2.0 and normal desktop apps. There is no reason you shouldn't utilize quality software just because you're worried people with the NoScript extension can't access it.
Hey, here's a note to everyone with the NoScript extension installed: stop bitching about having to whitelist sites that you want to comment on. You made the decision to install a ridiculous extension and YOU decided to use a sledgehammer when a ball-peen hammer would do. Just make sure you install the NoHyperText extension too, so we never have to hear from any of you again.
Have you looked at Ryan Bates' plugin for Akismet (http://www.railscasts.com/episodes/65)? It makes hooking comment forms up to Akismet very simple...
Yeah, I think the problem is I didnt look hard enough for a better solution. I really like Pratik's plugin, maybe as a makeshift solution that can be replaced with akismet later on.
Going to strip this plugin off the site tonight. Turns out that hijacking the rails request processing causes more headaches than just making the site inaccessible to non-javascript enabled users.
sorry Jacques I haven't read all the comments but
why not display CAPTCHAs only for those with javascript disabled?
As Pratik mentioned the Snook was of doing things is pretty good. I've not actually tried acts_as_snook yet but I did create my own filters following some of the rules from:
http://snook.ca/archives/other/effective_blog_comment_spam_blocker/
I added a few of my own rules as well. It's been quite effective since we've been using it. You can tweak the rules as you go along to catch anything that's still getting through.
I totally agree with your strategy as well Jacques. It's also about time to shun IE6 (I couldn't give a hoot if xx% of people are using it. They don't deserve internets.)
Well I browse the Web with a Victrola and I request, no, demand, that you code your site to support wax cylinders. Otherwise, you're being "annnoying."
On a related topic, I also ride a horse and I'm appalled that gas stations don't provide a bag of fresh oats at each pump, and a brush and hoof pick next the the squeegee.
Hey, if I were you, I'd use Defensio for comment spam protection. There's a great plug-in that makes implementation a snap. I've found it to be much more accurate than Akismet as well. If you're looking for an example to get you started, my open source blog uses it. You can check out the code here: http://github.com/nakajima/aintablog/tree/master.
I got rid of the Javascript plugin and switched to Defensio. Unfortunately that Rails plugin for it is kind of a piece of crap. Seems to work, but causes all sorts of problems on dev mode.
I'll keep it for a while but probably will just end up switching to Pratik's plugin or a stupid math captcha.
Seems kind of pointless to not have Javascript turned on nowadays. I think it's incredibly stupid to have an option to turn it off, I would compare it to asking for a cheeseburger without cheese. Web 2.0 needs javascript and if you're not willing to use it too bad. Go use elinks.
This is a bit late, but...
I actually use noscript, but more so just as an immediate means of protection... If I'm jumping around the web looking for something, I can often run into something that I don't want without realizing it for awhile because it's in a background tab. Noscript just keeps sites from cluttering my computer with cookies, and running a million javascripts in the background.
It's pretty easy to just hit "allow" or "temp allow" when you are pretty sure that it's not gonna be the end of the world, and tada, you can utilize the site as intended.
But I know there's a lot of you out there that (like a friend of mine) believe that the internet really is out to get you, and have to block EVERYTHING... seriously... get out of the white room :)
Not everyone can use normal web browsers (screen readers etc) that support javascript properly, discriminating against them just because your too lazy to install other spam protection is pretty harsh.
And not forgetting that it's illegal to have an inaccessible website in a lot of countries (http://www.w3.org/WAI/Policy/)
What's interesting to me is people getting wrapped around the axle because of "discriminating" against certain categories of users. WTF? Since when am I, the owner and maintainer of XYZ web space, REQUIRED to pander to anyone? It's my site... my "property" if you will. If I choose to make it ultra-inaccessible, that's my right.
It may be extremely foolish, but it's still my right.
Ultimately, as a web designer, it's foolish to spend more than a passing thought or effort to meeting the last 5% or 1% of accessibility. For example, adding in support for NS4 or really old IE or such. Unless your site really hits those demographics, you are spending time and effort (which equals $$ for most of us) on something that is statistically irrelevant.
So maybe the question is more a matter of: what is your audience? And how do they consume your site? And if less than 1% uses XYZ then don't spend time cow-towing to XYZ.
Anyway, that's my take. Calling someone "too lazy to install something" and implying that they are intentionally being harsh toward a specific demographic... Sounds like someone with an axe to grind. If we take that philosophy to the extreme then we should all program to the least common denominator. No javascript, no flash, no cookies, no pngs, heck, no images! (let's write lynx-compatible sites only!)
And it just don't work that way.
If you do have the time to meet the needs of XYZ, then do it. But it's a ROI calculation, not a "don't be lazy or harsh" calculation.
Sheesh!
-Dan (who will now go back to his 99% work and hope the 1% aren't angry enough or organized enough to "storm the castle". *grin*)
utqfktlhtrfdktwfaeksnsnwknqene
utqfktlhtrfdktwfaeksnsnwknqene
Hi there!
My first post at this great blog!
I wanna show u my dayly updated blog:Black Amateur Fuck Video
Have a nice day!
BB!
P.S. if you don't want to see this message please write me to no.ads08@gmail.com with subject "NO ADS" and URL of your forum
Thank you for cooperation!