0

I have a webpage written in PHP, HTML and, first of all, JavaScript. I want to block (deny access page and show a message) access my webpage for person who doesn't have enabled JavaScript in browser settings or doesn't support it, because then my page isn't correcly displayed and there are a lot of bugs (also security bugs !). I know that there is possible to write <noscript> statement in HTML, but then something other than this text is dispalyed and it also is removable (e.g. by Inspector function is browsers), I said that without JS my page contains bugs. So, my question : is there any way to block access* for users which doesn't support JS to my page using PHP ? Any other suggestions are welcome :)

*Block access means - deny access main page and show a message

TN888
  • 7,659
  • 9
  • 48
  • 84
  • 3
    you can't deny access, but you can give a nice message and hide your main content. –  Aug 29 '13 at 19:05
  • There might be some helpful answers here: http://stackoverflow.com/questions/4454551/check-if-javascript-is-enabled-with-php – showdev Aug 29 '13 at 19:07
  • 3
    _...there are a lot of bugs (also security bugs !)_ - well there's your first problem. Relying on JS for security **cringes** – SeanWM Aug 29 '13 at 19:07
  • @SeanWM I'm using JS to pre-check inserted data, I always also check that on server side, but I want to protect server from excessive load – TN888 Aug 29 '13 at 19:09
  • 2
    @Ty221 Since the server-side validation runs anyways regardless of presence of JavaScript, this won't protect the server from any load. – rink.attendant.6 Aug 29 '13 at 19:11
  • 1
    @rink.attendant.6 I think he means so that any invalid submissions get rejected by javascript rather than the server having to check every invalid submission too. – OdinX Aug 29 '13 at 19:15

4 Answers4

4

This is not possible to do in a truly secure way.

Yes, you could just serve a page that is blank, and then use JS to actually load the content (e.g. via AJAX), but the problem is that JS must load that code from somewhere, and an attacker could do that too. But here's the real problem:

Users have control over their browsers. JS is client side code. An attacker may choose to run, not run, or change and then run your JS. An attacker may even run their own JS to call or replace your functions. Any security that relies on your JS is broken by default.

So while you could (and people do) show a warning message over your page that is then hidden by JS code, or use JS to load your content, it won't ever be secure.

Dan
  • 10,531
  • 2
  • 36
  • 55
1

You can make a "sub" page that loads its entire content via AJAX. This will not stop people from hitting your URLS directly though. Don't trust the client.

Diodeus - James MacFarlane
  • 112,730
  • 33
  • 157
  • 176
1

If you really really really need this. I said three really because I think most of the time you can choose alternative to this.

Set a cookie using JavaScript and pass it along with your request to server and validate the cookie on your server with the passed request. If you are able to verify the cookie Your client has JS else not.

Better way would be to redirect js and non js users from single point. say in your index.html file you have have javascript code that will redirect your clients or visitors to different url. That way you know those users have js enabled else they would not be redirected.

Yalamber
  • 7,360
  • 15
  • 63
  • 89
0

Other answers and comments already include a lot of details on why you really can't technically block access using Javascript, however, a simple workaround to do something only when JS is enabled, is to call a JS function after DOM loads:

  <script type="text/javascript">
    window.onload = do_something();
  </script>
</body>
</html>

do_something() then could include simple things like switching block element visibility, e.g., hide the non-JS message, plus launch AJAX loader or do something else from the stuff that has been already suggested above.

eksperts
  • 149
  • 4