Lair of Peppe

Two days ago, we had this long discussion on the public Vaadin skype -channel about if how you should run Javascript in an Vaadin application, which continued a little on the forum and over lunch. It turned out fast to be an discussion about if Javascript should be allowed at all to be run from an Vaadin app. It was a discussion between ideology and convention.

The side defending the idelogy had the point that allowing Javascript would break the level of abstraction. The strong point of Vaadin is that it is very easy to use as you can do great things without knowing anything about Javascript, HTML and CSS. You only need Java. By opening the abstraction you soon get some implementations that depends on the low level API, and everybody has to learn those too to use Vaadin. Usability goes down. Another reason not to, is that I guess it would be really easy to break the whole software by running custom Javascript. Just like it is easy to break the software with custom css if you don’t know what you are doing. The whole API gets bloated at the same, when you add feature after feature, so you have to be critical about what you add.

The convetional side had the arguments that every abstraction is leaky. As a reference works Joel Spolsky’s blog post ‘The Law of Leaky Abstractions’. Sometimes you just have to drop down to a lower level to get things done. This becomes apparent when your Vaadin application has to work in symbiosis with some old system, and you have to embed jsp pages somewhere. How do you communicate between the Vaadin app and the jsp pages? Some of the main issues here has been to close a window (js: window.close()) or print some jsp/hmtl page from the application (js: window.print()).

At first I was strongly on the side to not let the user use Javascript. Think of all the possibilities you open up for hackers! Think of all the possiblities you open up for the programmer to really really mess up the application. One option that came up  was that it should be a separate extension to Vaadin, not embedded into the core Vaadin library itself. It should fit well as a component into the upcoming Vaadin side product ‘Directory’, which will be a web page where you could download custom made components for Vaadin. The users can jump the extra hoop and download a component from there, if they really, really want the ability to run Javascript, at their own risk. This way with wont pop up to users that doesn’t care about Javascript. I decided to do just this, build a Vaadin widget that runs any custom JS the programmer specifies. I did it because it was trivial to do and becuase I did not really want the feature into core Vaadin. You can find the code from here, a demo of it from here, and a  forum discussion about it from here.

After thinking about this for a while I have started to lean to the opinion that js built in would not be that bad. Hackers can’t use this very much as Vaadin has a strict barrier between the server and the browser. I also haven’t found out that there is some really really bad that you can do with js. You can’t really crash the server because all javascript runs in the browser. So the risks of having it seems to diminish all the time. I also heard someone saying: When Vaadin fails, GWT saves. When GWT fails, Javscript saves. And this is the solution for all the cases where it would be just easier to to a one-liner in the low level language.

I’m for the moment on the fence if it should be included or not. I’ve heard so many arguments for both sides so I guess I have to let it sink in for a while before forming my final opinioin. Then again, it’s not at all my decision to make. :)