With the advent of cross-site scripting attacks and other browser security issues, approximately 4-6% of us have disabled JavaScript completely. Unfotunately, the navigator object does not include a way to check for JavaScript execution the same way it allows a check for cookies.

A number of workarounds exist, none of which work if your application consists of one page (rare) or if the page that has to detect JavaScript is a deep link (not rare).

• Use JavaScript to drop a cookie, then check for the cookie. Sure you can drop the cookie, but during that single page load you need to be able to see if the cookie was dropped and act accordingly. But if JavaScript is disabled, you can’t make the check.
• Use JavaScript to fill in hidden form fields. Again, it assumes you can deal with a server round-trip to discover that JavaScript is disabled.

What worked for me was use of the <noscript> tag:

<head>

<noscript>

<meta http-equiv=”refresh” conetent=”0;url=/noJavaScript.html”/>

</noscript>

</head>

…which immediately redirects the client to the specified URL should JavaScript be disabled.

I haven’t run this through the W3C validator, but it does work on IE6, IE7 and Firefox 2 which is good enough for me :-)

UPDATE  10/04/2007: This does not pass XHTML validation.