Google sign-ins will require JavaScript soon
Google users who have disabled JavaScript in the browsers that they are using to browse the Internet won't be able to sign-in to their Google accounts anymore soon unless they enable JavaScript for the login process.
Google announced yesterday that it will make JavaScript mandatory on sign-in pages and that it will display a "couldn't sign you in" message to users who have it disabled.
Internet users disable JavaScript for a number of reasons and most are well aware of the issues associated with that. A browser extension like NoScript blocks JavaScript execution by default to improve user privacy and security on the Internet.
Scripts don't run without JavaScript which reduces or even eliminates tracking, advertisement and malicious attacks.
Websites may load faster and users may save bandwidth if JavaScript is disabled or blocked in the browser. Some sites, however, will break if JavaScript is disabled as they use scripts for some or even all functionality provided.
Google explains that it wants to run a risk assessment during sign-in to Google accounts and that it requires JavaScript for that.
When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious. We’re always working to improve this analysis, and we’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment.
The company goes on to explain that only 0.01% of Internet users run browsers in which JavaScript is disabled. While Google does not mention it explicitly, most bots on the Internet run with JavaScript disabled to improve performance and avoid detection mechanisms.
Google announced the launch of reCAPTCHA version 3 recently which promises to do away with annoying captchas by running risk assessments and giving sites control over what happens when scores below a set threshold are given.
Google changed the sign-in process in 2013 from the traditional username and password form to a multi-page form. The company enabled a link between sign-ins in its Chrome web browser and Google services on the Internet in 2018.
Closing Words
Some may suggest that Google's motivation for making JavaScript a requirement for account sign-ins is not based entirely on the desire to better protect Google accounts from login-related attacks. Google is an advertisement company first and foremost, and the bulk of advertisement on the Internet relies on JavaScript.
Now You: what is your take on the change?
Most importantly, what happens if the risk assesment gets you wrong and you cannot login? Because it will happen, maybe to a few people, but still. And I will take it further: imagine the day somebody in distress needs to log to a service to send a request for help and the “risk assesment” gets in the middle and trying to validate their identity they die. I know it is extreme, but this kind of unilateral i-do-what-want sh*t some services are pulling, at some point it will be too much.
In order to run risk assessment we need you to turn on a feature that’s super risky and exposes you to lots of risks and also please remember that by using our service you accept all responsibility for all risk that you risk risking by risking the usa of our risky business.
Yup, that’s how they will track you. Remember google is, after all, a advertisement company.
Google justification about “risk assessment” is ridiculous.
No Javascript, no risk. At all. For the user. The only risk is that Google cannot spy enough.
“No Javascript, no risk.”
No JavaScript, no commenting eather!
Alongside HTML and CSS, JavaScript is one of the three core technologies of the World Wide Web. All major web browsers have a dedicted JavaScript engine to execute it.
Don’t blame the programming language, blame the abuse of JavaSript by a bunch of shady programmers.
@manouche:
“Alongside HTML and CSS, JavaScript is one of the three core technologies of the World Wide Web. All major web browsers have a dedicted JavaScript engine to execute it.”
So what? Almost all website work without enabling Javascript (and I avoid those that don’t). Just because it’s a “core technology” doesn’t mean that we should have to be exposed the the risk that comes from allowing it.
“Don’t blame the programming language, blame the abuse of JavaSript by a bunch of shady programmers.”
Define “shady”. An awful lot of objectionable Javascript comes from non-criminal programmers (tracking scripts, for example).
A don’t actually blame Javascript itself. I blame the very concept of allowing websites to run code in the browser at all. The language used is irrelevant.
The thief requires your key to run a risk assessment of your front door lock.
Run half a dozen browsers and devices, keep Google, Microsoft and the rest of the social spies off of all but one.
Furthermore, Google and Microsoft are in blatant violation of the GDPR, they should be fined daily until they comply, or at least be required to disclose all the data they collect so people realize what they’re using. Mainstream users still do not comprehend what these state-controlled surveillance companies are doing.
As a blind person, Javascript plays all kinds of havoc with screen reading software, not that anyone cares about us, other than to charge us $900 for a screen reading program; which is literally the cost of three budget laptops!
“we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious”
Oh boy, are the going to run reCAPTCHA v3 each time someone logs in? A lot of people, from what I’ve seen, who don’t use Chrome have been getting 0.1 AKA Google thinks they are a bot, but they are not. A phone number is already needed to make an account. Things are getting out of hand in my opinion, at least, for those who care about privacy or who don’t use Chrome (often overlap).
JAVASCRIPT defeats the anonymity of Proxys and VPNs
GOOGLE always wants to know your real IP Address … to track & catalog you (plus all else it can discover about you)
You cannot maintain your personal privacy with GOOGLE — JAVASCRIPT is a powerful weapon against your online privacy
Google is teaming with iRobot to map your home. Google “will not” use the data to sell you ads.
Remember, some home cleaning robots have cameras.
Some home cleaning robots have secret elephant’s trunk and sniff around for stash. They report live to your local Drug Enforcement Administration.
I am very, very picky about what Javascript I allow to run, and I don’t trust any from Google, so I won’t be logging into Google stuff. Fortunately, I only use Google services at work, and only because it’s required there — so I’ll only be exposing my employer’s machines, not mine. Let them take the risk.
Google’s revenue break down is 86% ad revenue last quarter. Google most likely wants to protect that revenue at all costs. If script blockers affect that then Google will find ways to try and stop it.
But if you use Google products you shouldn’t expect Google to embrace anything that hurts their bottom line.
I accept we should always question their motivation but I accept Google’s explanation here.
As you say Martin only a low percentage block Javascript and I am one of those so it will affect me but I can easily allow Javascript or toggle it.
I rely on the security of Google and I appreciate them locking their browser down.
“Some may suggest that Google’s motivation for making JavaScript a requirement for account sign-ins is not based entirely on the desire to better protect Google accounts from login-related attacks. Google is an advertisement company first and foremost, and the bulk of advertisement on the Internet relies on JavaScript.”
Indeed.
NoScript allows you to choose the specific scripts that you need to run to sign-in.
One reason more Google services consistently not to use and block wherever possible.
https://en.wikipedia.org/wiki/Unobtrusive_JavaScript
Next: Gmail will only usable with JavaScript soon