brandiboyd.com

As general web users become more tech savy, and security risks via scripting become more and more vicious, understandably more of users are becoming wary of allowing sites with JavaScripts full access to thier browser, and this is important for site owners and designers alike to consider. With the emergence of AJAX using JavaScript is simply unavoidable to achieve the popular and interactive ‘Web 2.0′ effects that most users and site owners now want. So communication about the issues surrounding security, JavaScript, and user preferences…whether from designer to site owner or site owner to user, is vital. I am not a JavaScript developer, nor an expert on web security; but I have developed a few strategies to help calm fears from owners and users concerning JavaScripts on the sites I design.

When asked by a client about using JavaScript on their website, I explain that my take on using JavaScripts in your website is this:

1. don’t make the core content of your site dependent on them without other options for the users blocking JavaScripts
2. let users know that you understand their safety concerns about JavaScript and other scripting languages by giving them information about the scripts used on your site, and by including noscript messages explaining what is going on for users who turn them off
3. use them to your heart’s content (properly) when they allow you to provide a better user experience
4. And, be prepared for those few ultra-paranoid users who wrap their laptops in tinfoil and turn off ALL javascripts, regardless of the source…because these are often the people with too much time on their hands, and they are the ones who write letters.

I have also taken to adding a separate page/section/category about the technology that drives the site to almost any website I work on…much like this example, which you are free to copy and use as you wish. It generally includes information about the coding languages used, the CMS if any, the validation status, accessibility information, the domains that will require permission of some sort (such as for JavaScripts), how to turn on JavaScript and Clear Cache in various browsers, and other security information; and it’s generally linked in the noscript information and referenced either in the footer, and/or the site’s privacy policy/tos. Doing this serves a few healthy purposes.

First it lets site users know that the site and the business or person behind the site is aware of their security concerns. Second it gives the user actionable information (for example: “To use the gas widget on our Tools page turn on scripts for http://gasbuddy.com.” lets the user decide if he wants to use the widget, and gives him it’s source so he can decide for himself if he trusts it), and thus more control over their experience on your site. These two things combine along with our noscript messages to help build user trust in the website even for users who don’t trust JavaScripts and may be wary of using any site with them. It also gives the site owner an easy place to reference if/when a user asks about a particular site feature or security issue. Sometimes I have to sneak it in because clients don’t think it’s necessary and may confuse people; or I just wait to publish it until they get two or three of those “Danger Danger Will Robinson!” emails about the JavaScripts on their site from a user and call in a panic thinking they have a bad website or that all users are seeing the site without the effects of the JavaScript. It helps to assure them more quickly if I am already prepared for the issue…it would do the same for me, in their shoes.

Still, some site owners are very concerned about the possibilities of losing a viewer due to user concern about scripting, or to the viewers with JS turned off thinking the site is bad or broken, and should be (to a degree). We want to ensure all users have a good experience. But we also don’t want to lose out on the benefits of emerging techniques by avoiding scripts altogether. Most users don’t disallow all scripts regardless of the site they are visiting, and many aren’t aware of JavaScripts in sites they visit at all. There are some who turn them off as a blanket policy, and addressing these users is fairly simple.

This is what I tell clients regarding users turning javascript off altogether. First, I explain why javascript can be dangerous, and share some general info about scripting with them, such as this Wikipedia general entry about Javascripts, usually also pointing out the security information in the article. Then I explain why allowing JavaScripts from (only) trusted sources is not (*as) dangerous; and also point out that many programs other than web browsers use JavaScript such as Yahoo Instant Messenger, or any program from the Adobe Creative Suite (PhotoShop, Dreamweaver..), to name a few. And I show where we’ve put specific information and instructions for users to learn how to turn js on for their domain and download browsers or tools that let them control how javascripts are handled. I show them what their site looks like and how well it works with the JavaScripts turned off, and make sure they are happy with the result. I discuss the options for removing the JavaScript, how it’s functionality could be reproduced, or whether it could be done without altogether; and the pros and cons of each solution.

And then I finish with this and let them decide…. In my mind, if a user is tech-savy enough to know that JavaScript can be bad, he should also be tech-savy enough to know that always turning ALL JavaScripts off, even for trusted websites that they use every day, is ridiculously silly. Akin to throwing away your television and never watching any, ever again, because some television is mindless. Or it’s like never wearing green because you saw someone who wore green get hit by a car.And it plays into the hands of those exploiting the vulnerabilities. Why bother creating fixes for insecure code if users disable the code and designers create custom designs to deal with it instead of demanding secure products? The number of these kinds of site users is unclear, but I believe they are in the minority for most websites. And I also believe that if I user has turned off ALL JavaScripts and expresses discontent at their use on your website, that

1. you as a site owner are not going to be able to convince that user that scripts on your site are safe
2. this user is accustomed to and has chosen to see a broken web- your site is just one of many which won’t display in full for them
3. it is not your responsibility as a site owner to educate all consumers about web safety (unless your website is about web safety, etc.), or to cater to each and every user on the web and their different security and/or browser configurations; but to provide useable options for most of them.

We do our best to serve these kinds of site users a complete, nice looking site anyway, let them know unobtrusively that they are missing out on script content and give options for what to do about it, and move on. Hopefully.