How *not* to do a redirect

Posted: Sat, 3 May 2014 | permalink | 5 Comments

This is the entireity of a (purportedly) HTML page I just got:

<script language="javascript">
  window.location = "http://example.com/obscured/to/protect/the/guilty"
</script>

To compound the pain, this didn’t come from a site run by people who wouldn’t be expected to know any better – it’s associated with a rather popular web-oriented test framework. So it should contain at least one person who might pipe up and say, “WTF, don’t do that!”.

I’m up to about 7 things that are wrong with this. Anyone want to weigh in with their own enumeration of why this is shockingly bad?

5 Comments

From: Sam
2014-05-03 17:25

I won’t go into extra detail just now but to say “ugh seriously!” and express commiseration. I work in the web analytics space, tangentially with SEO, and facepalm regularly with such nonsense. This is usually followed by an email to the related clients advising them that search engines, users without JavaScript, and anyone in a performance-sensitive environment would thank them to use the thoroughly standardized 301 or 302 responses, and that we’d love to advise their developers on best practices if needed. Rest assured though: you will see it again.

From: fenrir
2014-05-03 20:22

I’m new to web development and I fail to see why this is a bad practice. What am I missing (and where can I learn more)?

From: Karellen
2014-05-04 06:53

Clearly, the largest and most obvious issue here is the original author’s heretical adherence to the evil practice of relying on Automatic Semicolon Insertion. As the creator spake: “ASI is (formally speaking) a syntactic error correction procedure.”, and his prophet Crockford also pointed out in reference to ASI: “that is insanely stupid code”.

Yea, and all who commit such code must be shunned by the Good and Right inserters of semicolons, and banished to work on Visual Basic projects for the rest of their days. Or maybe Perl.

From: Daniel Lo Nigro
2014-05-04 10:48

The main issue here is that they’re using the obsolete language=”javascript” attribute. It should be type=”text/javascript” or just omitted entirely (as per the HTML5 spec).

From: Matt Palmer
2014-06-06 10:45

Just thought I’d name-and-shame an even more egregiously stupid example I just came across: www.webtrust.org. Visit it without the www and you get a 404; with the www you get a JS redirect to a rather suspiciously-named page. I would expect an organisation charged with promoting trust on the web would be more in favour of other forms of improving online security (like browsing with JS disabled by default).

Post a comment

All comments are held for moderation; markdown formatting accepted.

This is a honeypot form. Do not use this form unless you want to get your IP address blacklisted. Use the second form below for comments.
Name: (required)
E-mail: (required, not published)
Website: (optional)
Name: (required)
E-mail: (required, not published)
Website: (optional)
 
« Keep your gems clean!
An SSL Certificate Cooperative? »