Do y’all leave JavaScript enabled?

I used to see stats that said something like 10% of all people browsing the web didn't have JavaScript enabled. But these days, I suspect the percentage is much lower.

TSOR has turned up stats from early 2008 and early 2009 that suggest about 5% of visitors to various sites had JavaScript disabled back then. But it seems to me that even in the past year and a half there's been a significant increase in the number of sites that aren't especially usable without JS.

Anyway, in addition to wondering about the general issue, I'm specifically curious about whether people who read my blog on my site leave JavaScript turned on.

What sparked this question is that I'm still getting an awful lot of comment spam. Almost all of it gets caught by my moderation system (which sends all unauthenticated comments on old entries to moderation), but then I have to page through hundreds of spam comments a day to see whether any legitimate comments have been filtered. Sometimes I fall behind, and interesting or important comments languish in moderation for weeks.

I could start using a system like Akismet, but despite having heard good things about it, I'm reluctant to trust a spam-filtering system that I don't have direct control over. (This is entirely me being a control freak; I have no reason to distrust Akismet or any other antispam system.)

So I was thinking about hiding the comment form using JavaScript, and requiring that readers click a checkbox saying “I am not a spambot” to make the form appear.

And then it occurred to me that spambots probably generally don't have JS enabled. So I might be able to do JS detection and just not show the comment form to anyone who doesn't have JS enabled.

But if it turns out that some of y'all who comment on my site don't use JS, then that wouldn't be a good idea.

Note that if you comment on my entries on Facebook, this entry is irrelevant to you—I'm only talking about people who post comments directly on my site.

. . . I may just decide to try this out, as an experiment. So if you try to comment on a recent entry and no comment box appears, and you think it may be JS-related, drop me a note in email.

. . . Heh—Most of the way through writing this, I tried turning off JS in my own browser to see if I could still comment. But of course the Movable Type entry-writing system relies on JS for various things, including auto-save, and so I lost several sentences of this entry. Not a big deal; I restored them. But kind of ironically funny.

8 Responses to “Do y’all leave JavaScript enabled?”

  1. jacob

    I keep javascript turned on. I’m fairly security-conscious, but as you say, a lot of sites don’t work right anymore without it.

    It’s an issue I often run into professionally; generally the applications I develop have a public-facing component (say, students, or applicants) and an administrative component (say, the staff members of a particular office or department). I try to make the public-facing component degrade gracefully if you don’t have javascript, if I can. On the admin side I figure I can go hog-wild.

    Here’s a fairly recent article that says that the percentage of visitors to the Yahoo home page who have javascript disabled is around 1% (2% for U.S. visitors).

    reply
  2. jacob

    By the way: you might want to know that I saw the following error message at the bottom of the page as I previewed that last message:

    Fatal error: Cannot redeclare is_valid_email() (previously declared in /usr/www/users/logos/cgi-bin/mt423/php/mt.php:813) in /usr/www/users/logos/cgi-bin/mt423/php/mt.php on line 819

    reply
  3. irilyth

    I have Javascript conditionally disabled via NoScript, which is awesome.

    I continue to have trouble signing in to your site. Right now, I get an error “An error occurred: The sign-in attempt was not successful; please try again.”, which is not the usual error I get. (Usually it gives some cryptic error about PHP or MySQL or something (I forget which), but I am actually signed in, but I have to go back and re-click the link that got me there, because something has re-written the URL of the page I started on for some reason. If this sound baffling and incomprehensible, I find it so as well. :^p I don’t know any other site that does this, and can try to help figure out what’s going on some time if you’re curious; or not worry about it if you’re not, it’s not a big deal either way for me.)

    reply
  4. Anonymous

    Huh, right now when I load this page, it says “Fatal error: Cannot redeclare is_valid_email() (previously declared in /usr/www/users/logos/cgi-bin/mt423/php/mt.php:813) in /usr/www/users/logos/cgi-bin/mt423/php/mt.php on line 819” at the bottom.

    reply
  5. Jed

    Thanks for the info, Jacob and irilyth!

    Jacob and Anonymous: Yeah, that fatal error suddenly started showing up a week or two ago, when I had to turn off comments due to a gigantic spam wave. I haven’t had time to track it down, and since it doesn’t seem to be hurting anything, I’m considering leaving it alone until I upgrade to MT5, as I expect to do sooner or later.

    irilyth: You and Shmuel have both had trouble commenting, but I haven’t been able to figure out why. The comment sign-in system is, I think, completely unmodified standard Movable Type 4. I did have to spend a couple of hours hacking at it at one point because it was completely broken, didn’t work at all, but I think that turned out to be because the upgrade hadn’t overwritten the MT3 code; I think the final result of that work left me with an unmodified MT4 comment-sign-in system.

    In case this makes a difference, the sign-in system definitely uses JS. When I visit an entry without JS enabled at all, it gives me a regular comment form with no sign-in link.

    It’s also fine to ignore the sign-in system entirely and just post a comment. And you don’t have to supply a name or email address or anything like that if you don’t want to.

    Anyway, it’s been on my to-do list for months to try to figure out what’s wrong and fix it, but this is another thing that I’m reluctant to spend too much time on if I’m going to upgrade to MT5 soon.

    But will contemplate further.

    reply
  6. irilyth

    Yeah, if you’re going to upgrade soon anyway, I’d say don’t worry about it too much.

    (There’s definitely a chance that NoScript is eating some part of the sign-in process; I’ll try it with NS turned off some time and see what happens…)

    reply
  7. Ryan Walker

    Jed,

    I’m pretty sure that spambots ignore the comment forms. They look for specific blog software, detect the version, and then directly send comments exploiting security weaknesses in the various versions. I doubt that hiding your form would have any effect. Unless you did something particularly tricking eg AJAX, the form would still be in the HTML anyway, and bots wouldn’t even notice that it was hidden.

    Akismet works really well. It let’s you review caught Spam and and salvage any Ham, though I don’t think that it has ever made a mistake on my WordPress blog, certainly not for the past few years. I recommend installing it and taking for at least a one week test drive. If you don’t like it, you can easily turn it back off.

    Ryan

    reply
    • Jed

      Ryan: I know that spambots look at least a little at the comment forms, because when I change the name of the comment-processing file in my Movable Type installation, the spam comments don’t stop. So they’re at least looking at the name of the processing script as given in the form tag.

      I believe that I recently also tried changing the name of the text box in the comment form (and in the processing script), and spam continued to get through.

      I also hid one or the other of those names in a JavaScript-only piece of the page, and broke up the name into pieces so it wouldn’t appear in full anywhere in the raw HTML, and spam continued to get through. So apparently the spambots are actually running JavaScript, which surprises me a lot but suggests that my JS-related approaches won’t work. (I might try some variant of this again, though; it really did surprise me that it didn’t work.)

      My next step, I think, is going to be to add a checkbox to the comment form that says “I’m a human, please post my comment.” And then change the script to validate that checkbox; if it’s not checked, the comment will be ignored or be immediately marked as spam or something.

      But yeah, I suppose it might make more sense to just give up and try Akismet. The thing is, I don’t want to review spam; I get at least a few hundred spam comments a day, and reviewing them is a big pain. I want a system that I can reliably count on. I’m glad to hear Akismet hasn’t made a mistake on your system in years; that’s useful information, and makes me more interested in trying it. But I did used to hear about people noticing Akismet making mistakes, and that makes me nervous. And I also have a gut-level distrust of systems that are outside of my control, but I probably need to get over that.

      Anyway, thanks for the note!

      reply

Join the Conversation