The <Noscript> Element as a Trap

The <Noscript> Element as a Trap(hacktivis.me)

16 points by speckx 3 days ago | 15 comments

perilunar 7 hours ago |

I think this is overblown. <noscript> works fine for simple things like "this page requires javascript" messages. Of course it doesn't work when scripting is enabled but scripts fails to load for some reason.

The WHATWG recommendation:

  it's generally better to avoid using noscript, and to instead design
  the script to change the page from being a scriptless page to a
  scripted page on the fly,

is fine as it is, but changing the page after scripts load can potentially mean seeing the no-script content briefly (FOUC - Flash of Unscripted Content). Putting the message in a <noscript> tag avoids that.

sidewndr46 2 hours ago | |

I think the viewpoint in the article could be summarized as "noscript is not Turing complete and thus cannot solve all problems with javascript"

account42 5 hours ago | |

> is fine as it is, but changing the page after scripts load can potentially mean seeing the no-script content briefly (FOUC - Flash of Unscripted Content). Putting the message in a <noscript> tag avoids that.

These days you can use CSS to only show the message after a short delay.

But the majority of websites have no business actually requiring JS so the W3C recommendation is the only one that matters.

sureglymop 9 hours ago |

I'd much rather have something that behaves like:

    <if js is available>
      ...
    <else>
      ...
    <the closing tag i guess/>

perilunar 7 hours ago | |

Is that really any simpler or clearer than:

  <script>
    ...
  </script>
  <noscript>
    ...
  </noscript>

CodesInChaos 7 hours ago | |

I think something like:

    <script src="..." id="bla></script>
    <noscript for="bla">Script not loaded</noscript>

Would be more flexible, and would be consistent with how labels, datalists, etc. are linked to their element.

creatonez 11 hours ago |

Indeed, <noscript> doesn't show just because the page didn't properly load the scripts in the page. It's not a fallback for errors, it's a fallback to serve users who deliberately disabled Javascript. This is a rare scenario these days, but it does get displayed when you disable JS in Tor Browser, use the disable Javascript button in uBlock Origin (I personally use this to whitelist javascript per-domain), or use various other extensions like NoScript. This is dependent on the implementation, though. In theory some crappy browser extension could provide JS disabling functionality otherwise identical to tor/ublock/noscript but forget to display <noscript>s, but I haven't heard of implementations that are like this.

Either way, make sure you have something sensible to display for all scenarios, even if it's just an error page. Mysterious blank pages are not fun.

account42 5 hours ago | |

> In theory some crappy browser extension could provide JS disabling functionality otherwise identical to tor/ublock/noscript but forget to display <noscript>s, but I haven't heard of implementations that are like this.

Any no-JS extension worths its salt should actually at least provide an option to ignore <noscript> as some websites that would otherwise work perfectly fine without JS use it maliciously.

account42 5 hours ago |

As far as error handling goes, <noscript> is still far from the worst even with these limitations.

The most infuriating one is when the javascript deletes the entire page content to show an error message due to some exception. Doubly so when the failing functionality is only used for tracking or some other unwanted "feature".

antonvs 13 hours ago |

FTA:

> “One of the few traps of the web”

…for some large value of “few”

sublinear 12 hours ago |

> Because the problem is, JavaScript can fail to load in several ways. Here's a non-exhaustive list of cases...

The author answered their own question. In even the best effort case, noscript is the fallback.

I'm not even sure what they expect the website maintainer to do for most of that list. If they knew themselves, they would have put it in the blog post. Is this instead a call to draft new w3c specs or revisions? What am I misunderstanding? For a site that has "hacktivism" in the domain name, whining like this is a bad look.

DanHulton 12 hours ago | |

I think you're missing the part where they quote the recommendation from the HTML spec:

> For this reason, it's generally better to avoid using noscript, and to instead design the script to change the page from being a scriptless page to a scripted page on the fly

That seems perfectly reasonable for modern sites and browsers to be able to do. `noscript` is effectively a relic from older days where you just didn't have the same budgets, tools, and browsers as today, where you couldn't seamlessly enhance the site how you can now. We shouldn't continue to use it in the same way we shouldn't continue to use `marquee` or `blink`.

bawolff 11 hours ago | | |

I feel like <noscript> does a fine job at what its meant to do. The article's complaint is that it isn't magic and can't solve all problems, but nothing can.

sublinear 3 hours ago | | |

No, I didn't miss that part. It's irrelevant to my point.

The noscript tag is just a way to conditionally display some HTML. There's no reason to avoid using it unless you are deeply entrenched in a pseudoreligious fight against javascript.

It really is just whining.

> didn't have the same budgets, tools, and browsers as today, where you couldn't seamlessly enhance the site how you can now

I'm sorry, but... what?