JavaScript: Difference between revisions

JavaScript
Basic Information
Release Year	1995
Product Type	Software
In Production	Yes
Official Website	https://tc39.es/ecma262/multipage/

← Older edit Newer edit →

VisualWikitext

Revision as of 14:51, 18 March 2026

❗Article Status Notice: Inappropriate Tone/Word Usage

This article needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Specifically it uses wording throughout that is non-compliant with the Editorial guidelines of this wiki.

Learn more ▼

JavaScript (JS) is a programming language and core technology of the Web, alongside HTML and CSS. It was created by Brendan Eich in 1995.^[1] As of 2025, the overwhelming majority of websites (98.9%) uses JS for client-side webpage behavior.^[2] It's even used on the server-side (see Node.js).

Consumer-impact summary

Forced requirement: Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. In 2026, considering the advancements in HTML and CSS technology, there is minimal reason why an average website (excluding real-time simulations and low-latency gaming) would ever need JS. The only valid justification are legacy code-bases, as those are impractical to migrate to no-JS solutions.
Degraded accessibility: Dynamic and/or active content is well-known to have poor accessibility for users with visual and/or cognitive impairments. While standards such as WAI-ARIA were created to mitigate this, it's no silver bullet, especially when developers aren't aware of ARIA.
Lack of transparency: To optimize network bandwidth, JS code is typically served in minified form, which makes it harder to understand for humans. This is particularly problematic if the original source is not publicly available, which is typically the case of proprietary software.
Excessive tracking: JS is much more capable than HTML and CSS combined to track user behavior, because of its first-class access to user-agent (UA) APIs.^[3] JS can communicate with almost any server (only limited by CORS) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a fingerprint of the device, user, or both.^[4]^[5]^[6]
Targeted ads: JS makes it harder for ad-blockers to block ads, since it can be used to make overly-dynamic ads. The data collected by malicious JS makes it trivial to serve personalized ads, even across unrelated sites.
Market control: JS (alongside Wasm) are built into almost every web-browser and UA, including "light-weight" ones (such as w3m). Incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability". Some people say that JS shouldn't even be a Web Standard,^[7]^[8] implying that it should be an extension or plug-in (such as Java Applets and Adobe Flash) the user willingly installs; this would reduce the incentive to use JS, as there's no guarantee the user has it.
Security risks: JS is well-known for being a poorly-designed tool.^[9]^[10]^[11]^[12] This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that JS is Turing-complete (both in practice and in theory) is a recipe for disaster, as it makes debugging and reverse-engineering impractical in big code-bases. It's worth noting that tooling, such as TypeScript and ESLint, exist to substantially minimize the likelihood of bugs.

How it works

Whenever a user visits a webpage, an average web-browser will execute the JS code it finds in <script> tags. This code could do anything from updating part of the page only when the user requests it, to showing a popup/popunder.

When JS tries to access a "privacy-sensitive" Web API (such as the microphone) the browser pauses it until the user has granted access to that API. This is typically done on a per-domain basis. However, as mentioned earlier, many other APIs don't need to ask permission before fetching data.

Why it is a problem

Expanding on the security risks, these are the most common vulnerabilities found in JS code:

XSS, which NoScript tries to mitigate
Arbitrary code execution and code injection. Typically caused by eval (part of the ECMAScript spec), but there are Web APIs (such as setTimeout and setInterval) that can be misused as well.
Remote code execution. This is used by hackers and crackers to build bot-nets for DDoS or crypto-mining, but it's mostly used for spyware since it can hide more easily.

Browser-engine developers (such as Google and Mozilla) not only feel compelled, but are economically incentivized to optimize JS to its limits.^{[citation needed]} This leads to complex code-bases that are harder to verify for correctness. Browser vendors attempt to solve this via sandboxing. Unfortunately, since modern browsers compile JS to native CPU code (see JIT) to improve performance, this introduces a higher risk of sandbox-escape, as the code can more easily find vulnerabilities to manipulate the engine.

Incidents

This is a list of all consumer-protection incidents related to this technology. Any incidents not mentioned here can be found in the JavaScript category.

Google Search requires JS (2025)

In January 2025, Google's web-search engine mandates that user-agents must have JS enabled. Google's justification was that it's a defense mechanism against abusive bots (see also Deceptive language frequently used against consumers).^[13]^[14]^[15] However, some people claim that it's an invalid justification.^[16]

Benefits

It's worth noting that, while JS is trivial to misuse and abuse, JS can enhance the user-experience (UX). The World Wide Web Consortium (W3C) provides comprehensive guidelines for such purposes.^[17]

External links

LibRedirect explaining why it exists, and how Google Chrome's MV3 limits it
Google being anti-competitive towards Firefox: https://github.com/uBlockOrigin/uBlock-issues/discussions/3240
Meta refusing to serve content to noscript users, and deliberately nagging them to install the app or login: https://github.com/Rudxain/uBO-rules/pull/9
Websites that nag users to enable JS, even when it provides negligible value
Discord being extremely bloated to the point of crashing when opening Developer-tools: https://github.com/Rudxain/uBO-rules/blob/42220bd4f80052ee15136dff7269df19529c43ec/rx.ubo#L3-L19. This is not the fault of bloated JS, it's likely a bloated DOM-tree, but discord only bloats the DOM when JS is enabled.
"Enough with the JavaScript already!"
"Maybe we could tone down the JavaScript"
"You don't need JavaScript for that"
"You really don't need all that JavaScript, I promise"
"Progressive Enhancement Still Important"
"Everyone has JS, right?"
"Shipping a button in 2026…", by Kai Lentit. This illustrates the burnout and fatigue software developers can experience on a daily basis
HTMX developer advocating for less JS
"Web Obesity Crisis"
"How web bloat impacts users with slow connections"
JS bloat (2024)
How JS makes web apps more unstable
GNU/FSF explaining why JS takes freedom away
GNU/FSF explaining why "web apps" shouldn't exist. WARNING: contains overzealous claims! (according to Rudxain). Related: Local-first
"I Used The Web For A Day With JavaScript Turned Off"
More sources (TO-DO)

References

[1] ttps://exploringjs.com/es5/ch04.html

[deployedstats-2] "Usage Statistics of JavaScript as Client-side Programming Language on Websites". W3Techs. Retrieved 2024-02-27.

[3] ttps://clickclickclick.click/

[4] ttps://privacycheck.sec.lrz.de/

[5] ttps://abrahamjuliot.github.io/creepjs

[6] ttps://www.deviceinfo.me/

[7] ttps://daringfireball.net/linked/2017/06/22/navistone-form-data

[8] ttps://daringfireball.net/linked/2017/06/27/web-without-javascript

[9] ttps://github.com/denysdovhan/wtfjs

[10] ttps://github.com/brianleroux/wtfjs

[11] ttps://wiki.theory.org/YourLanguageSucks#JavaScript_sucks_because

[12] ttps://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js

[13] ttps://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/

[14] ttps://daringfireball.net/linked/2025/01/18/google-search-javascript

[15] ttps://serpapi.com/blog/google-now-requires-javascript/

[16] ttps://blog.jim-nielsen.com/2025/javascript-required/

[17] ttps://www.w3.org/wiki/The_principles_of_unobtrusive_JavaScript

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

@@ Line 11: / Line 11: @@
 '''[[wikipedia:JavaScript|JavaScript]]''' ('''JS''') is a [[wikipedia:Programming_language|programming language]] and core technology of [[wikipedia:World_Wide_Web|the Web]], alongside [[wikipedia:HTML|HTML]] and [[wikipedia:CSS|CSS]]. It was created by [[wikipedia:Brendan_Eich|Brendan Eich]] in 1995.<ref>https://exploringjs.com/es5/ch04.html</ref> As of 2025, the overwhelming majority of [[wikipedia:Website|websites]] (98.9%) uses JS for [[wikipedia:Client_(computing)|client]]-side [[wikipedia:Web_page|webpage]] behavior.<ref name="deployedstats">{{cite web |title=Usage Statistics of JavaScript as Client-side Programming Language on Websites |url=https://w3techs.com/technologies/details/cp-javascript |access-date=2024-02-27 |website=W3Techs }}</ref> It's even used on the [[wikipedia:Server_(computing)|server]]-side (see [[wikipedia:Node.js|Node.js]]).
-==Consumer-impact summary==
+== Consumer-impact summary ==
 *'''Forced requirement''': Many webpages (and even entire websites), force the user to keep JS enabled, otherwise they break or deliberately refuse to work. In 2026, considering the advancements in HTML and CSS technology, there is minimal reason why an average website (excluding real-time simulations and low-latency gaming) would ''ever'' need JS. The only valid justification are [[wikipedia:Legacy_code|legacy code-bases]], as those are impractical to migrate to no-JS solutions.
@@ Line 19: / Line 19: @@
 *[[Personalized Ads|'''Targeted ads''']]: JS makes it harder for [[Ad block|ad-blockers]] to block ads, since it can be used to make overly-dynamic ads. The data collected by malicious JS makes it trivial to serve personalized ads, even across unrelated sites.
 *'''Market control''': JS (alongside [[wikipedia:WebAssembly|Wasm]]) are built into almost every web-browser and UA, including "light-weight" ones (such as [[wikipedia:W3m|w3m]]). Incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability". Some people say that JS shouldn't even be a Web Standard,<ref>https://daringfireball.net/linked/2017/06/22/navistone-form-data</ref><ref>https://daringfireball.net/linked/2017/06/27/web-without-javascript</ref> implying that it should be an [[wikipedia:Browser_extension|extension]] or [[wikipedia:Plug-in_(computing)|plug-in]] (such as Java Applets and [[Adobe]] Flash) the user willingly installs; this would reduce the incentive to use JS, as there's no guarantee the user has it.
-*'''Security risks''': JS is well-known for being a poorly-designed tool.<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://wiki.theory.org/YourLanguageSucks#JavaScript_sucks_because</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that JS is [[wikipedia:Turing_completeness|Turing-complete]] (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]) is a recipe for disaster, as it makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. The most common vulnerabilities found are:
+*'''Security risks''': JS is well-known for being a poorly-designed tool.<ref>https://github.com/denysdovhan/wtfjs</ref><ref>https://github.com/brianleroux/wtfjs</ref><ref>https://wiki.theory.org/YourLanguageSucks#JavaScript_sucks_because</ref><ref>https://github.com/Rudxain/ideas/blob/aa9a80252a4b7c9c51f32eda5c716e96220ed96e/software/evar/with_bf.js</ref> This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that JS is [[wikipedia:Turing_completeness|Turing-complete]] (both [https://gavinhoward.com/2024/03/what-computers-cannot-do-the-consequences-of-turing-completeness/#mathematical-vs-practical in practice and in theory]) is a recipe for disaster, as it makes [[wikipedia:Debugging|debugging]] and [[wikipedia:Reverse_engineering|reverse-engineering]] impractical in big code-bases. It's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].
-**[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate
-**[[wikipedia:Arbitrary_code_execution|Arbitrary code execution]] and [[wikipedia:Code_injection|code injection]]. Typically caused by <code>[https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval eval]</code> (part of the ECMAScript spec), but there are Web APIs (such as <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setTimeout setTimeout]</code> and <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setInterval setInterval]</code>) that can be misused as well.
+== How it works ==
-**Remote code execution. This is used by hackers and crackers to build [[wikipedia:Botnet|bot-nets]] for [[wikipedia:Ddos#Distributed_DoS|DDoS]] or [[wikipedia:Cryptocurrency|crypto]]-mining, but it's mostly used for [[spyware]] since it can hide more easily.
+Whenever a user visits a webpage, an average web-browser will execute the JS code it finds in <code><script></code> [[wikipedia:HTML_element|tags]]. This code could do anything from updating part of the page only when the user requests it, to showing a [[wikipedia:Pop-up_ad|popup/popunder]].
-**[[wikipedia:Sandbox_(computer_security)|Sandbox]] escape. Modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance; this introduces a higher risk of sandbox-escape, as the code can more easily find vulnerabilities to manipulate the engine.
-About that last point, it's worth noting that tooling, such as [[wikipedia:TypeScript|TypeScript]] and [[wikipedia:ESLint|ESLint]], exist to substantially minimize the likelihood of [[wikipedia:Software_bug|bugs]].
+When JS tries to access a "privacy-sensitive" Web API (such as the microphone) the browser pauses it until the user has granted access to that API. This is typically done on a per-domain basis. However, as mentioned earlier, many other APIs don't need to ask permission before fetching data.
+== Why it is a problem ==
+Expanding on the security risks, these are the most common vulnerabilities found in JS code:
+*[[wikipedia:Cross-site_scripting|XSS]], which [[wikipedia:NoScript|NoScript]] tries to mitigate
+*[[wikipedia:Arbitrary_code_execution|Arbitrary code execution]] and [[wikipedia:Code_injection|code injection]]. Typically caused by <code>[https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval eval]</code> (part of the ECMAScript spec), but there are Web APIs (such as <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setTimeout setTimeout]</code> and <code>[https://developer.mozilla.org/en-US/docs/Web/API/Window/setInterval setInterval]</code>) that can be misused as well.
+*Remote code execution. This is used by hackers and crackers to build [[wikipedia:Botnet|bot-nets]] for [[wikipedia:Ddos#Distributed_DoS|DDoS]] or [[wikipedia:Cryptocurrency|crypto]]-mining, but it's mostly used for [[spyware]] since it can hide more easily.
+Browser-engine developers (such as [[Google]] and [[Mozilla]]) not only feel compelled, but are economically incentivized to optimize JS to its limits.{{Citation needed}} This leads to complex code-bases that are harder to verify for correctness. Browser vendors attempt to solve this via [[wikipedia:Sandbox_(computer_security)|sandboxing]]. Unfortunately, since modern browsers compile JS to native CPU code (see [[wikipedia:Just-in-time_compilation|JIT]]) to improve performance, this introduces a higher risk of sandbox-escape, as the code can more easily find vulnerabilities to manipulate the engine.
 ==Incidents==
@@ Line 30: / Line 37: @@
 ===Google Search requires JS (2025)===
-In January 2025, [[Google]]'s web-search engine mandates that user-agents must have JS enabled. Google's justification was that it's a defense mechanism against abusive bots (see also [[Deceptive language frequently used against consumers]]).<ref>https://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/</ref><ref>https://daringfireball.net/linked/2025/01/18/google-search-javascript</ref><ref>https://serpapi.com/blog/google-now-requires-javascript/</ref> However, some people claim that it's an invalid justification.<ref>https://blog.jim-nielsen.com/2025/javascript-required/</ref>
+In January 2025, Google's web-search engine mandates that user-agents must have JS enabled. Google's justification was that it's a defense mechanism against abusive bots (see also [[Deceptive language frequently used against consumers]]).<ref>https://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/</ref><ref>https://daringfireball.net/linked/2025/01/18/google-search-javascript</ref><ref>https://serpapi.com/blog/google-now-requires-javascript/</ref> However, some people claim that it's an invalid justification.<ref>https://blog.jim-nielsen.com/2025/javascript-required/</ref>
 ==Benefits==
@@ Line 62: / Line 69: @@
 *[[Electron]]
-*[[Mozilla]]
 ==References==