Whatever the next version of "the web" is (it's hard to say what we are on right now, as not everyone agrees, and the version numbers are more hype than anything anyhow), there are some specific changes that really should be made. Up to now, each new version of HTML, CSS, JavaScript, and any other web technology has primarily added new features while keeping most or all of the old ones. We have not dropped much, but there are some things that really should be dropped. In fact, some of these things have already had support widely dropped or at least restricted by modern browsers. Most of these things could easily be handled differently, either on the development end or by adding new features to replace their core functionality, without carrying over their problems. Some of these things may have had a place originally, but none of them do anymore.
There are two specific features I have recently been thinking about that just plain need to be dropped from the standards, and browsers have already taken initiative on these. These two are popups and alerts. We should probably also tack on other modal dialogs here too, including browser level authentication for certain types of sites. Another feature I want to discuss is the HTML blink element.
Popups are already blocked by most browsers, unless the user explicitly allows them. Essentially, in modern browsers, popups are opt-in. Probably 99% of popups on the internet today have malicious intent. The two biggest uses of popups are covert ads (popups are instantly minimized, to prevent the user from noticing, with the hope that later the user will see the window, think it was opened intentionally, and get sucked into the ad before realizing it is an ad) and virus distribution (using security flaws to download a virus still takes time to complete the download, and what better way to avoid the user closing the window too soon than putting it in a popup and hiding it immediately?). Because of the inherently dishonest nature of popup ads that instantly move themselves to the background, a vast majority of these are for less than reputable products and services (more often than not, pornography). The occasional website has innocuous popups that are part of the site navigation, but these are relatively rare. The fact is, with modern technology, popups are no longer necessary. In fact, it is questionable whether they were ever necessary. Long before popups were even possible, there was the ability to provide links that users could click to open a new window. Only in rare cases is this not sufficient, and in those cases, modern technology has already provided an excellent alternative. The fact that modern browsers can get away with summarily blocking all popups, until the user acts to specify otherwise, should tell us that popups are no longer important or even useful to the web. Now days, they are almost exclusively used for dishonest advertising practices and for delivering harmful programs. We can do without them, and the next versions of the various web standards should eliminate them entirely.
Alerts in early JavaScript were primarily used for debugging, but there has never been a time when they were not primarily an annoyance to end users. For some reason, every JS course started out teaching how to create an alert, and as a result, they were quite common for a long a time. JavaScript alerts have never been a good idea. From the very beginning, trolls have been using them to make web pages designed purely to infuriate users, by constantly creating alerts, which would prevent the user from doing anything but clicking "OK" or "Cancel" in the browser, in vain attempts to end their misery. (Because they are modal dialogs, even closing the browser is generally impossible when an alert is present.) On rare occasions, alerts would be used to convey useful information to the user, but even in these cases, the result would often be frequent interruptions monopolizing the browser. This is another "feature" modern browsers have taken initiative on mitigating. Most modern browsers provide an opt-out option for alerts after the same page has produced more than two or three. Most web pages no longer use alerts, and it is generally considered a best-practice to avoid them. Similar to popups, most modern sites using alerts are using them for nefarious purposes, including tricking people into consenting to have malicious software installed, denial of service attacks through cross site scripting or injection, or just causing general grief for users. Sites that might have used alerts in the past largely now use iframe or div based dialogs (or notification bars) to achieve the same effect without monopolizing the browser or interfering with the user's work flow. Alerts no longer have an appropriate place in the web, and the next version of web standards should do away with them as well.
As an extension of JavaScript alerts, there may also be some value in expanding out to any client side modal dialogs. Modal dialogs prevent the user from interacting with the browser until the dialog is closed. Any modal dialog that can be created without explicit user interaction can be used for malicious purposes. One of the earliest modal dialogs in browsers is the authentication dialog. This was intended for sites and protocols that have authentication built directly in, in ways that make it hard to manage authentication through other means. The earliest web did not have interactive sites or even CGI, so page based authentication was impossible. Things have changed very dramatically since then, but these authentication dialogs still exist. There are plenty of ways they can be abused, but most of the time they are just annoyances used by web developers who are too lazy to write up a login page. Because the dialog monopolizes the browser, it is very difficult to look up authentication information stored somewhere else on the internet, and having to cancel the dialog and reload is inconvenient. In general, any time the user is interrupted with something that is artificially given priority over everything else, it results in a bad user experience. The need for these dialogs on the modern internet is incredibly rare. There are still a few protocols out there that just do not allow for any other means of authentication, but all of the commonly used ones do. Sadly, HTTP actually has a header specifically intended to bring up an authentication dialog, and in researching for this article, I discovered that this has actually been a significant problem for some web developers. No HTTP web site actually needs to use this means of authentication though, because it is trivial to manage authentication through a web page based dialog. The only reason to use the modal dialog instead is pure, unadulterated laziness. At least for protocols that can use other authentication methods, the authentication modal dialog should be purged from web standards. There should be no possible way a web developer or script injection hacker can force a dialog or window to open on a client computer, without the express permission of the user.
All of these can easily be removed, without any serious negative impact on the web as a whole. Yes, some developers will have to actually work for their pay, to make the occasional legitimate site currently using these work without them, but that is nothing compared to elimination of some pretty serious security and quality of life issues built right into current web standards. If convenience is really such a big issue, these things can easily be replaced with far better alternatives. Popups, alerts, and modal authentication dialogs could all be replaced with simple built-in JavaScript functions that will create centered div-like elements on the top layer of the current page, with custom content. For popups, this could work like an iframe. iframes are essentially web pages embedded in other web pages, with their own namespace. Most legitimate popups could be implemented similarly to iframes, maybe with a small title bar that allows dragging and possibly even minimizing. This functionality could all be built into the element, as part of the browser implementation. The minimize function could default to just turning the popup into a small icon in the lower left corner of the web page. This keeps popups entirely contained within the page that created them, without interfering with the user's ability to continue using that page. A page that creates excessive popups and automatically minimizes them will now end up covering itself up with icons, and when the tab is closed, all of the popups will be discarded. This would make stealth popups actually be a detrimental advertising strategy, as they would obscure the creating page, and they would not persist beyond the life of the creating page (to sneak up on you later). Alerts and modal dialogs of any type (authentication or otherwise) could be implemented similarly, where the user can specify text and inputs, just like with JS alerts, and then when they are activated, the browser generates a div-like element over the existing page. These could even act as standard modal dialogs within the context of the page, disabling any interaction outside of the dialog until it is closed, but it would not interfere with the use of the browser itself, like existing modal dialogs do. Pages that use modal dialogs excessively would thus only be harming themselves, and the user could easily close the tab without having to deal with a cascade of dialogs first. Note that all of this is already completely possible. iframes can already be used to mimic popup behavior, within the context of the containing page, and some slick JavaScript can even simulate the minimization behavior described above. Creating in-page modal dialogs can be done equally easily, and blocking the page behind the dialog can be accomplished with a transparent element between the page and the dialog element. If these features are so valuable that they are worth keeping though, perhaps the above suggestions should replace them in web standards, to eliminate their potential for abuse, while maintaining any useful applications they may have.
Now, let us discuss the HTML <blink> element. Long ago, HTML had a blink tag, that could contain text. It would apply a blink effect to that text. From that sprang some of the most hideous, annoying, and possibly seizure causing web sites in the history of the world. It was not long before browsers started just ignoring this tag or at least disabling it by default. This tag was based on blinking text used on console systems, and as far as I can tell, the only legitimate use for blinking text on console systems was to make the cursor blink, both to make it easier for the user to spot, and to identify it as not being a legitimate part of the text that has already been typed. Outside of that one legitimate use, blinking text has never been a good idea, even on the console, but somehow it made its way into early HTML. As with popups and alerts, browsers identified the issue and took initiative. The difference is that blink was later dropped from web standards entirely. Many modern browsers have never supported the blink tag, and those that did dropped their support many years ago. In short, there is a precedent for this. Browser makers are involved in the creation of web standards. They are not the only ones though, and sometimes browsers can be outvoted by other entities. When it comes down to it though, browsers implement the web standards, and if they choose not to implement some standard as a group, that standard becomes meaningless. Of course, this rarely happens. Typically when a browser chooses not to implement a web standard, it is either to make a statement or out of greed (MS has done both, and a majority of the time, it has suffered as a result). (Some smaller browsers also choose not to implement standards that are especially difficult to implement, for more practical reasons.) But when practically everyone is eliminating or quarantining some particular element of the web standards, it is probably time to seriously consider whether that standard deserves to even exist. Blink was killed off when it was discovered that it had no legitimate use and plenty of obnoxious uses. It is still possible to make text blink, and some web developers who lack an appropriate level of design education even do it, but it is more difficult than a simple tag, because it requires some mildly complicated CSS or JavaScript to accomplish. Blinking text is all but non-existent on the web now though, which is as it should be.
The next iteration of web standards should perhaps focus more on eliminating problems than adding new features. There is already a precedent for keeping web sites as self-contained as possible. Standards regarding cross site scripting have already been created to deal with this on one side of the fence. It's time to deal with it on the other side. If web sites should be self-contained, they should not be able to open dialogs, windows, or tabs outside of their own space, without explicit action and intent from the user. If the user really needs something open in another window, the user can click a link that will accomplish that. Allowing the web page to do it without explicit interaction from the user is just plain irresponsible, and the fact that popups are commonly used in virus distribution suggests that this is a serious security issue as well. Browsers should not have to block popups. Popups should not even be possible. The same applies to alerts and to modal dialogs where there is a better solution that can be limited to the scope of the web page. The next web needs to put users back in control and stop allowing web sites outside of their own scope without explicit user interaction. Technology has come a long way. We don't need the most annoying features of the web anymore. It's time to get rid of them.
No comments:
Post a Comment