Does Foswiki require Javascript?
No, in most cases Foswiki is functional without the use of Javascript, however there are some significant advantages to allowing the use of Javascript on your Foswiki site: The default configuration requires Javascript for User Registration, and for topic editing.
Security
Foswiki provides advanced protection against Cross-Site Request Forgery - CSRF (
Wikipedia:Cross-site_request_forgery ) using Javascript. This is controlled by the site administrator, and can be disabled if advanced CSRF protection is not required.
If the user's browser does not support, or blocks Javascript and default CSRF protection is enabled, the Registration page and most actions that submit changes to Foswiki will not function for the user.
User experience
Foswiki uses Javascript to provide an enhanced user interface
- WYSIWYG editing - TinyMCE - requires the use of Javascript. If Javascript is disabled, Foswiki downgrades to using the basic topic markup editor
- Field Validations - can detect and provide more immediate user notice of invalid names.
- Hidden text - Foswiki uses "Twisty" javascript to hide/reveal sections of topics for a cleaner topic layout.
Advanced extensions
Many Foswiki extensions require the use of Javascript and will not be functional without it. Some popular examples:
Administration
The Foswiki configuration tool
bin/configure
uses Javascript to improve the navigation and use of the configuration screens. This is further enhanced in the upcoming 1.1 release of Foswiki
How to enable or disable CSRF validation.
The below documentation taken from the Foswiki configuration tool. On Foswiki version 1.0.x, this parameter is located in the "Security" section in the "Sessions" group. It is an "expert" parameter. Click the
[Yes, I've read all the documentation] button to reveal the setting. In the upcoming release of Foswiki 1.1, this setting will be visible by default, and not hidden as an expert setting.
By default Foswiki uses Javascript to perform "double submission" validation of browser requests. This technique, called "strikeone", is highly recommended for the prevention of cross-site request forgery (CSRF). If Javascript is known not to be available in browsers that use the site, or cookies are disabled, but you still want validation of submissions, then you can fall back on a embedded-key validation technique that is less secure, but still offers some protection against CSRF. Both validation techniques rely on user verification of "suspicious" transactions. This option allows you to select which validation technique will be used.
- If it is set to "strikeone", or is undefined, 0, or the empty string, then double-submission using Javascript will be used.
- If it is set to "embedded", then embedded validation keys will be used.
- If it is set to "none", then no validation of posted requests will be performed.