What Javascript Can't Do.
While there are many things that Javascript can do to enhance your visitor's experience of your web pages there are also a number of things that it can't do. These restrictions are not just randomly imposed on Javascript but have to do with where Javascript gets run, how the web and browsers work, and the security issues that may ensue were Javascript allowed access to perform certain functions. As there are a number of things that were not expected to have security implications which have turned out to be security issues there are also a number of things that earlier browsers permitted Javascript to do that the more modern browsers no longer permit.
- One of the first things that people new to the web often think about is how to protect the source of their page and most turn to Javascript looking for a solution. There are a whole range of supposed Javascript protection techniques that people use ranging from “No Right Click” scripts through to full blown encryption of web pages that are then decrypted using Javascript. The truth is that none of these methods work at all due to the nature of the web. The web browser downloads all of the files associated with the web page first before displaying them on the page (streaming audio and video is the sole exception to this). The web browser then loads the page into the browser and runs any scripts needed in order to decrypt the page so that it can be displayed. A decrypted copy of the page source exists in the browser at that point and while most browsers don't provide an option to directly view the source the way it looks after the javascript has run anyone can easily add such an option into their browser using a half a dozen lines of Javascript.
- Javascript has limited access to the web server. Because the scripts run in the web browser after the page has been downloaded from the server Javascript has no easy way of interacting with any information that remains on the server and is not downloaded with the page. Javascript used to have no access to the server at all but the introduction of what is now known as Ajax now permits Javascript to pass requests back to the server. With the exception of reawuests to retrieve static information that could therefore have been downloaded with the page in the first place, Javascript requires a server side language to pass the request to in order for any significant server side access to be provided.
- Javascript has no file access on the client apart from cookies. Each visitor to your web page has their computer configured to suit themselves and you have no way of telling what file structure they are using on their system. Also your visitor's are unlikely to want you to be able to write any files to their computer in any case since if that were possible then virus writers would be able to use the write file option in order to save their viruses to all their visitor's computers. Jscript does have read and write file capability but that is intended for use on intranets where all of the computers are running Internet Explorer and have known file structures. The security settings in the browser disallow those commands unless it is specifically enabled for the site in the individual browser.
- Javascript has limited access to open and close browser windows. To combat the plethora of popuw windows that used to inundate visotrs to some sites, all modern web browsers now implement a popup blocker that limits the opening of new windows to those that are opened as a result of an action by your visitor. Unless they perform the required action your popup window will not be opened. Javascript is also limited in being able to close browser windows. Only a window that was opened by Javascript running in a given web page is able to be closed by Javascript and the close command must be run either from the page that did the opening of the new browser window or by the page that was loaded into that window. Any attempt to close a browser window that wasn'y opened by your page will either be completely ignored or will display a confirmation message asking for permission before allowing the window to be closed (depending on the browser being used).
- Javascript has no access to web pages from other domains. If your web site uses either a frameset or iframes then you can have multiple web pages loaded into the same browser window at the same time. Provided that these pages are all loaded from your own site you can use Javascript to pass information between them. If one of more of the pages is from a different site then you cannot use Javascript to either obtain information from or pass information to that page.
- Javascript has limited access to the browser. Most browsers provide a small amount of information about themselves and the environment in which they are running. Some of this information is always accurate such as the screen resolution and the amount of space in the browser window. Other information passed is text content that can be easily updated by the browser owner and which therefore can't be relied on in any meaningful way (the browser and operating system are two such examples). Write access to the browser is limited. You can suggest a size and placement for a new browser window when you open it but your visitor has the ability to disable your ability to set those for their browser in which case the window will open the way they want instead of the way you want. It also used to be possible to open new windows without address and status bars but the security issues that arise from such windows means that modern browsers no longer provide those options. Similarly it is now no longer possible to update the content of the statusbar using Javascript in order to conceal the information that the browser displays there.
So what can you do about these limitations. Well first of all you should give up all thought of trying to prevent people from viewing the source of your page. Anything that you try to do to block that access will just encourage more people to steal your content just to show how ineffective that protection is. You will also drive legitimate visitors away since any technique that attempts unsuccessfully to block access to the source does succeed inn blocking access to legitimate options that some of your visitors use for navigating their way around the web. Also many forms of "protection" also make your page inaccessible to people with javascript disabled.
Where you are opening new windows or attempting to interact with the web browser in other ways you need to accept the fact that the options that you set are recommendations only. Those of your visitors who have their browser set to accept these recommendations will see things as you intended. Those who have their browser set to ignore the recommendations will see things as they want to see them.
You need to accept the fact that unless you are running JScript (Internet Explorer's proprietary equivalent to JavaScript that has a lot more commands) on an intranet (so that you know that the browser is always going to be IE) that you have no access to interact with anything on your visitor's computer that is outside of the web browser.
To access information from the server you will most likely need to combine your use of Javascript with an appropriate server side language that can perform those parts of the processing that need to take place on the server rather than in the browser.
