Is Javascript dangerous?

Home » Web » Browsers » Javascript

Summary: Javascript is become more and more common on web pages, but some security experts prefer to leave it disabled. I look at why, and one great alternative for FireFox users.

Well, I actually believe that JavaScript is relatively safe. Not perfectly safe - nothing is - but safe enough.

Having said that, I should tell you that I also run NoScript.

Let's look at what that all means.

•

JavaScript is a programming language. What makes it special is that most all web browsers support Javascript programs (or program fragments) embedded in web pages.

If you read that carefully you'll realize that this means a web page - any web page - can now include a computer program. Rather than just displaying text and pictures, web pages can now "do" things. A popular example is GMail's web interface, which makes heavy use of JavaScript to present a very complete and functional email program - all in a web page.

Now, JavaScript operates in a "sandbox" - meaning it can only operate within that sandbox, and not outside of it. JavaScript is an interpreted language, which among many other things means that each operation a JavaScript program attempts to perform can be restricted by the JavaScript interpreter. In theory, and in practice most of the time, this prevents a JavaScript program from doing anything harmfully to your computer.

In other words, JavaScript is safe.

However, as we all know, all software has bugs. This holds true for the various implementations of JavaScript, as well as the browsers that JavaScript runs in. Some of those bugs can, when discovered, be exploited to bypass the sandbox, or to perform other malicious actions on your machine.

The good news is that it's very rare. And once again, as long as you keep your computer up-to-date with the latest patches and versions of the operating system, browser and JavaScript interpreter, you're likely quite safe. That's actually how I run most of my other machines.

However, after learning about NoScript, I decided to give it a try. Exactly as you say, it enables JavaScript on a site-by-site basis, depending on what you tell it. If you visit a site that you haven't OK'ed, NoScript tells you, and the JavaScript programs that might be on that page do not run. The result is that some web sites simply don't work, while others might only work partially. The point is that you now have the choice of whether or not to enable JavaScript for each site you visit.

An interesting side effect is that much advertising relies on JavaScript, and if you turn JavaScript off a lot of advertising just disappears. In fact, if you visit Ask Leo! with JavaScript disabled, you'll not see much of the advertising that supports this site. On other sites you may enable JavaScript for the site in question, only to be told that other domains that site references are still blocked - often because those other domains are used to present some of the ads or content on the original page.

And of course, blocking JavaScript from sites you haven't explicitly trusted does protect you from any attempts at malicious behavior, whether or not they could actually succeed.

My bottom line is this: running with JavaScript enabled is not that scary a thing and many, many sites now require it for full functionality. If you're at all concerned, or just want to turn off some of the content that it implies, NoScript is a fine approach for FireFox users to take control.

Related:

• Ask Leo! - What is Javascript and why do i need it?

Article 10874 | Posted November 1, 2006