Hi, Michael,
thank you for the DOC update. The setup with a global CSS class/es is sweet. I am going to try it right away
Regarding security. OFC this is not comparable to server-side rendering. But, depends on the use case, this can be secure enough.
I have spent several hours testing and here is my 2 cents. Hope this will help others to decide.
First, lets assume today we can:
- create Javascript only enabled sites (from user perspective, as there is <5% or less of users with JS disabled or missing feature)
- except SEO content, where Javascript rendering can hurt or be difficult to implement correctly
I was evaluating following 2 use-cases:
- List of recipe ingredients:
- the amount of ingredients is populated by Javascript from array, loaded from backend
- the reason is I want to be able to recalculate the amount if user click + or - button
If JS is disabled:
SEO: OK, this data is not critical for seo
Security: OK, data are not fetched from array at all
So to use the feature, user has to not only disable JS but also tinker with data somehow to assemle them correctly, or maybe not disable JS but rather use Developer console to somehow bypas SA5 DOM manipulation… on wevery page, for every recipe,… this is beyond many users ability and patience.
- Rendering Vimeo/Vistia/… video
- the player is fully Javascript dependent
- they have many protection in place the user is not able to just download or stream the video without JS or withou proper auth
If JS is disabled:
SEO: OK, video not critical for seo
Security: OK, no video played
Another small obstacle I have added is a noscript element, which cover the whole VP and inform user about the need of enabled JS.
<noscript>
<div class="noscript" style="position: fixed; top: 0; left: 0; background-color: rgba(0, 0, 0, 0.5); z-index: 999999; height: 100%; width: 100%; text-align: center; padding-top: 40vh;">
<h1>This site is best used when you have JavaScript enabled.</h1>
</div>
</noscript>
This looks like this:
We will also combine this technique with server-side rendering based on logged state, so public rendering will be completely safe. AFAIK for my use case this is enough.
Have a great weekend!
Petr