The JavaScript problem

15 Sept 2015

The JavaScript problem? There's a problem with JavaScript?? <sarcasm>But it's perfect!</sarcasm>

I know, I know. You say, "But your website almost certainly relies on some JavaScript for functionality!" Correct, and this is mainly caused by my decision to implement a web version of Google's Material Design through materialize.css – it's purely for aesthetics, and is used to do what it was meant for: document manipulation. I try to avoid using JavaScript unless it is absolutely necessary. Regardless, this is not what I'm getting at.

JavaScript. It's an inherent part of the modern web. Many websites rely on it for functionality, including this one. There really is a problem with it though, or rather a problem with its usage: it's used for everything, even when inappropriate, especially when inappropriate.

These days the web is riddled with websites that use and abuse JavaScript to an extent where, if you are like me and are choosy about which scripts you allow to run[1], using the internet becomes very difficult without it. And I'm sure, if you aren't, and you allow scripts to run rampant, then your web experience slows right to a crawl on some sites, and your privacy is constantly at risk.

"Why are you so uncomfortable with running these random scripts from the internet that load with every page you could ever want to visit?", you ask, "They're harmless."

Well, unknown reader of this blog post, the fact is that they are not harmless. Many scripts are externally sourced, often proprietary or obfuscated code that can do a number of things to your privacy, your security, and your personal computer. Popular analytics services for instance; these scripts grab personal infortmation such as your current location, your device information, information stored in browser cookies, and then conveniently package them up (often with a unique user ID to identify you and your browser) to track you and your browsing habits.

What web site maintainers need all this information for is beyond me, you'll find no JavaScript tracking on this website. It is in fact, much easier and almost just as effective (and much less invasive) to simply check your web server access log if for whatever reason you feel like evaluating the traffic that goes to and from your server. It's super simple to do with the Nginx access log.

So part of the problem here lays in the fact that scripts you can't read are running without your permission to do things you don't need to be done. This part of the problem is almost solved in only using open source[2] JavaScript applications, though some harmful exceptions do exist, such as the free and open source Piwik Web Analytics service. Piwik at least can be configured not to collect any specific information about users, and rather may be simply used as a tool to benchmark how popular a given site is – but you have to trust any given stats nerd to also care about your privacy.

So what is there really to do then? You can't forgo JavaScript entirely in most applications. You shouldn't compromise your privacy by blindly running code every time your open your web browser. It's a conundrum. It's something I'm certainly going to give some thought over the next little while. For now, I'll stick to NoScript and selectively allow scripts that I trust.

[1] Please see NoScript for Firefox, and similar browsers.
[2] Please see LibreJS and Setting Your JavaScript Free.