Hide form if javascript disabled

Question

I need to check on disabling JavaScript if the user disabled JavaScript from browser or firewall or any other place he will never show the form. I have lots of search and solutions, but unfortunately didn't got the right one. - Using style with no-script tag: This one could be broke with removing style...

<noscript>
<style type="text/css">
.HideClass {
display:none;
}
</style>
</noscript>

The past code will work just fine but there is lots of problems in no-script tag as here

Beside that i don't want to redirect user with no-script tag too...Beside that i can quickly stop loading the page to broke this meta or disable Meta tag from IE:
<meta http-equiv="refresh" content="0; URL=Frm_JavaScriptDisable.aspx" />

Another way to redirect user with JavaScript but this will work let's say for 99% of users and this one isn't lovely way and will slow down the website...
window.location="http://www.location.com/page.aspx";

Is there is any other ideas or suggestions to secure working with JavaScript...and prevent user from entering the website or see my form except when JavaScript enabled...

Read this: http://stackoverflow.com/questions/121203/how-to-detect-if-javascript-is-disabled — Biker John, Oct 20 '13 at 13:54
Can't you do it the other way around? Hide it for everyone, then use Javascript to show it. — JLe, Oct 20 '13 at 13:54
If i want to break down the website its easy to know first what you are doing to show with style then i disable JS and re-enter the website and put style with my own hand. Beside that i would prefer if there is a way other than styling because it's easily broken. — Kero, Oct 20 '13 at 13:59
you could use ajax call to fetch and display your form which will work only when javascript is enabled. — gp., Oct 20 '13 at 13:59
Thank you @Biker for help but unfortunately there is a problem if the user disabled the cookie but enabled the JS then this suggest will not work fine... — Kero, Oct 20 '13 at 14:22
We all have ideas on how to do things, sometimes they match up to what's usual, sometimes they're way off. I think in this instance you should look at how other developers handle what you want to achieve (the bigger picture) without using the method (the noscript idea) that you've gone for. — Popnoodles, Oct 20 '13 at 14:27
Can i ask why do you want to disable form for users without enabled javascript? — Biker John, Oct 20 '13 at 14:39
Good words @popnodles, but i already done lots of ideas all can be broken tell now so that i tried to show it up here for more out of box ideas... Thank you — Kero, Oct 20 '13 at 14:40
@Biker I'm using JavaScript in lots of places ... One of them is like your advice to use it with cookie checking ... Also in some other operation for adding - editing in Grid-view like new row added and so on with different Ideas required in project... — Kero, Oct 20 '13 at 14:45

score 2 · Answer 1 · answered Oct 20 '13 at 14:07

It sounds like you are relying on javascript for security in some way (based on the security tag and your descriptions of various work-arounds that the client could do to bypass your scheme).

This isn't a good idea - you cannot rely on the client executing your javascript correctly, even if it is enabled. A sophisticated user can send any http method they like to your webserver, regardless of what you serve them. They can also pretend to be any client, with any capabilities (script, noscript, etc) and you can not reliably tell whether their reported capabilities are accurate.

So, make it usable/attractive, and don't worry that advanced users might be able to bypass your scheme - make sure your website is secure no matter what requests come from the client.

If your talking were really true then try to disable Cookie or disable JavaScript or even both and you will not be able to login to Hotmail http://www.hotmail.com for example... I just need to show up my website just like this... no one can access some pages except if he enables JS and Cookies... — Kero, Oct 20 '13 at 14:14
What you are trying to do is not possible. Don't try to use javascript for security. Use an approach such as the one suggested by John below which will work for users that aren't trying to bypass it. — Michael, Oct 20 '13 at 15:34

Biker John · Accepted Answer · 2013-10-21T13:27:11.873

0

Something like that using jQuery:

EXAMPLE 1:

<div id='form_placeholder'></div>

<script type='text/javascript'>

var form='<form><input type="text" name="cat"/><input type="submit" value="submit" name="submit"/></form>';

$(document).ready(function(){

    $('#form_placeholder').html(form);

});

</script>

If javascript is enabled script should show the form.

OR simply

EXAMPLE 2:

<div id='form_placeholder' style='display:none'>
<form>
<input type="text" name="cat"/>
<input type="submit" value="submit" name="submit"/>
</form>
</div>

<script type='text/javascript'>

 $(document).ready(function(){

        $('#form_placeholder').show();

    });

</script>

edited Oct 21 '13 at 13:27

answered Oct 20 '13 at 14:23

Biker John

2,621
10
33
52

Thank you for help, unfortunately I'm trying to avoid any use of styling because it's easily broken with any intermediate user not even professional if he just remove style part then he is able to see everything. – Kero Oct 20 '13 at 14:30
My first solution here is not using any styles. Just like @Michael said, you cannot expect any security with javascript. It is a client side language, that means its contents can be seen and manipulated by user. In this case all you can do is some hacks like you see in my example. If you want to prevent access to unregistered users use server side language in combination with sessions. – Biker John Oct 20 '13 at 14:51
Yes @Biker i know about security fail in user's browser. Just want maximum secure for me and about style I'm talking about your part in `
` Beside that my comment on @Michael about tray out in Hotmail they succeed to do my wishes... Then how?
– Kero Oct 20 '13 at 15:24
1

There are two examples in my post. First one does not use style. It generates the html and puts it inside the desired div placeholder. As for the hotmail, im not sure, but i assume they probably use a similar method. – Biker John Oct 20 '13 at 15:31
About first part this is Great! But this means that i should put all my work inside this script tag then if JS enabled it will show up other else it will not show up... Am i right? – Kero Oct 21 '13 at 10:50
@Kero yes you are correct, put your form HTML you want to be hidden inside the form variable. I prepared a simple example for you to see how it works and added some comments. http://jsfiddle.net/GFpBa/1/ – Biker John Oct 21 '13 at 13:29

Hide form if javascript disabled

2 Answers2