Recently at another forum there was a user was hacking other user’s accounts and causing them to get banned. Out of fear of being attacked, someone suggested installing NoScript extension if you’re using Firefox, since the hacker works by using XSS (Cross-Side Scripting) to pass on your private information. The extension effectively discriminates JavaScript and Flash files to prevent such attacks.

NoScript isn’t new to me, and I’m aware of what it is used for, but I never really felt the need to have it installed until now, since I wouldn’t want to risk an account that might be impossible to recover. With that said I installed it yesterday and then realized it’s annoying as it is secure.

Almost every major site uses some JavaScript these days and more than often uses scripts from multiple domains. The first time I went back to visit YouTube, FaceBook, or just about any site that uses Flash or fancy scripting tricks, the NoScript bar appears on the bottom of the window. It will let you know if you want to allow scripts from that site and ever single other site it’s pulling in. And you have to select them for every single site you visit. And I do mean every single site. “Allow scripts from www.google-analytics.com”… that’s gonna look bad for anybody using Google for stat tracking! I suppose this is why a lot of websites’ Analytics numbers are conservative when compared to other systems like AWStats or Webalizer. You only have to this checking the first time you visit a site, but if you’re like me and like blog hopping and social network jumping, the nagging NoScript bar will get on your nerves.

As a developer, it makes me wonder about potential NoScript visitors coming to your sites. Will many of them leave your site if they see the annoying bar appear at the bottom? You’d be quite surprised at how many elitist web junkies turn down a site because it’s not compatible with NoScript. You say you won’t use Flash anyways? This isn’t 1998…every major browser comes packed with a Flash player. Personally, I can live without developing any Flash content, but not JavaScript. JavaScript makes so many subtle tasks easier to accomplish for the end user, and some are near impossible or impractical without it.

I like NoScript as an idea, but its execution needs to be less invasive and more flexible. If you already know the malicious script sources, it would be better to create a blacklist for those websites, rather than whitelisting sites as you browse along. Personally I have never gotten a XSS attack from any website or forum I’ve visited, and most of the time you can avoid them if you know how to avoid phishing scams.

If you want to use NoScript, you also have to know what kinds of sites are most unsafe to visitors. These websites would be ones where anyone is allowed to upload any type of content. Any place that lets you freely inject Javascript into webpages will be a big red flag, so yeah, that means you, MySpace. I know some message boards that are very strict on text output and don’t even allow hyperlinks. But even if one tag is allowed, if not validated properly it can be modified with attributes to produce unwanted results.

So with XSS becoming the latest web security concern and rise in popularity of NoScript, where will that leave Javascript developers? The ones that aren’t “evil”, that is. We should not let some bad seeds ruin the experience for everyone. With any development tool, you will have your share of abusers. Not too long ago Flash was being used inappropriately by creating awkward user experiences, and we have seen a backlash towards it. But Javascript goes beyond mere annoying effects and can be used to corrupt or steal important data. The most effective counter-measure developers can take is to improve their input validation techniques. I think Javascript can have a good future. If Javascript is the new Flash for user interaction, I hope it will be supported for years to come.