roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henrik Martin <>
Subject Why does Roller use Javascript?
Date Sat, 04 Aug 2007 06:46:43 GMT

Hi. I was just playing around with my installation of Roller. I was
using my wife's machine and I was trying to comment on a blog
entry. However, I didn't see the "Please answer this simple math
question" show up on the page. I use a Javascript blocking toolbar in
Firefox, and I hadn't enabled Javascript for the site that Roller was
running on. When I enabled it, the field with the math question
appeared in the page.

I'm just curious to why Roller needs to use Javascript for this?  I
guess it's to avoid generating the numbers in the HTML, which would
make it easy for bots to parse. But this could still be bypassed
by a bot if the page is processed by a library that could execute the
Javascript code. In general, I consider Javascript being a real
annoyance. Not only is it insecure, it's also very unpredictable as to
how it's implemented in various browsers. There are some sites that I
use that require Javascript to function, and I reluctantly allow it
for those sites, but I really don't see it being necessary for most

As for the math question, I guess there's some kind of cookie
associated with it so that you can verify that the response is for a
certain challenge. Why couldn't this be done by just passing cookies in
the HTTP header like most session cookies are handled? 

I'd like to suggest using JCaptcha (
instead of the math question. From a usability standpoint, I think
this is better and much more intuitive, and doesn't require
Javascript. The math question is very easy to miss, and it wasn't
obvious to me the first time I visited a Roller blog that it was
required to post a comment. Most people are used to CAPTCHA systems
when they sign up for services at Yahoo, Google, AOL, and other large
sites. I think it would be more obvious than the math question. The
only caveat that I'm aware of with JCaptcha is that it uses Java
imaging libraries that use the GraphicsContext class. This will
sometimes cause Tomcat to crash on servers that are running "headless"
unless the Java runtime environment has been told specifically that it
is running headless. This can be done by passing -Dawt.headless=true
to the JVM. Once that is done, JCaptcha works really nicely in a
headless server environment.

Just some thoughts.


View raw message