NoScript Web Applications

By Raymund John Ang, RN, MAN 

Open Nursing Information System (Open-NIS) Project Lead

Citation: Ang, R. J. (2020). NoScript Web Applications. Nurse Developer Column. Canadian Journal of Nursing Informatics, 15(4). https://cjni.net/journal/?p=8440

In today’s era, nurse developers have a variety of options in terms of building the healthcare applications they are interested in. These options can range from desktop applications on workstations, mobile applications on handheld devices, or web applications that are accessible using the internet through a web browser. This article will focus on web development for nurse developers, especially those that would involve the processing of personally identifiable information or protected health information.

Web development requires familiarity with web technologies, such as HTML, CSS and JavaScript. HTML and CSS deal with the layout and decorative display of content or information on the web browser. JavaScript makes the application more interactive, thereby, enhancing user experience. Using modern application programming interfaces or API’s, Javascript is also able to communicate with the server backend to access, pass or receive data, and share resource information. However, despite the technological advancement brought by the enhanced functionalities of JavaScript, JavaScript can also be used to introduce vulnerabilities to web applications, especially if the nurse developer is not careful when it comes to preventing cross-site scripting (XSS) vulnerabilities. This particular exploit happens when a malicious JavaScript code is inserted into the web application, and the browser executes the malicious code resulting in compromised user credentials or breach of personal or protected health information. There are web frameworks that have built-in solutions for cross-site scripting vulnerabilities. Another approach would be to disable JavaScript in the browser altogether. This may not be the optimal solution when it comes to consumer-grade applications since user experience will be severely affected. But the approach can be implemented in mission critical applications that are not accessible by the public in general.

Though there is no official definition of what a noscript web application is, we can operationally and conceptually define, for the purpose of this article, a web application that only runs when JavaScript is disabled in the browser as a Noscript Web Application. The term comes from the <noscript></noscript> HTML tags used to execute code once JavaScript has been disabled. The main purpose of creating NoScript Web Apps is to prevent any JavaScript code exploit from being executed by the browser, thus, adding a layer of security for healthcare applications. The main disadvantage of this approach is that JavaScript cannot be used to enhance user experience, and JavaScript cannot be utilized to connect to other websites or backend servers using the Fetch API or similar approach.

A NoScript Web App would generally include a warning or alert notice for the user to disable JavaScript in the browser for the application to run. The rest of the application code can then be enclosed inside the <noscript></noscript> tags so the program will execute only when JavaScript is disabled. Again, user experience will be affected due to loss of application interactivity. But the security enhancement can outweigh loss of interactivity when making the decision to pursue the NoScript Web App approach since JavaScript-related vulnerabilities and exploits can be eliminated. The BasicPHP Sample Site template (i.e. header and footer) shows how to integrate the noscript web app approach in building web applications (https://github.com/ray-ang/basicphp/tree/master/sample-site/views/template).

There are numerous frameworks and web development strategies that nurse developers can integrate when building healthcare applications. The NoScript Web Application strategy is one way of ensuring added security layer to applications by eliminating JavaScript as an attack surface for malicious codes to be executed when using web browsers.