And I'm not talking about XSS (the danger of including JavaScripts from untrusted sources should be obvious…)

This morning, I went to BloggingTom and the first thing I was greeted with was a Cocomment “popup” (a div based one). As it looked like a standard OS X window, the reflex based action was to hit Apple+W for closing it. Naaah, that closed the whole tab, of course. Here's how that looked like:

Cocomment

Next try, clicking on the actual and very small close button, another popup came up:

Cocomment2-1

And then I have to click “Cancel” to agree, that it won't be “cocommented”. Usability^3 :)

Even better on Win/IE:

Cocomment3

What happened? The usual and (by cocomment) recommended way to make a cocomment enabled post is to click the bookmarklet they delivered, before you want to make a post on a blog. Then the above popup and the warning makes somehow sense (as I – as the commentor – clicked my bookmarklet and want to cocomment-enable it). BloggingTom now just included that script by default to avoid having to click the bookmarklet. Nice idea for all, who have a cocomment account, very bad for all others :)

andare.ch seems to have a nicer solution to the problem with his coComment WordPress Plugin. It doesn't enable the script by default, but adds a “toggle” button to the “Save Comment” button, so you can manually cocomment-enable the comment, without having to use the bookmarklet (you can't install bookmarklets in all browsers, for example not in NetNewsWire).

And why is it bad to include remote JavaScript exactly? First, as BloggingTom's example showed, you don't have any control over that JS. It may have worked differently, when Tom did include that the first time and then cocomment just changed the behaviour (or maybe, Tom just didn't test it without being logged in :) ). Even if it wasn't changed since Tom integrated it, who guarantees that cocomment doesn't make adjustments later, which break Tom's site again? (Doesn't have to be with bad intentions…). I wouldn't integrate something like that and enable it by default (with no way to turn it off for the user) on something important as the comment function of your blog :)

Furthermore, what happens if cocomment.com is down? We had some similar issues with the gravatar site and del.icio.us. Servers go down, are slow in responding, have network problems, etc and when that happens, either your site goes down with it, breaks the layout or is just damn slow in responding. We solved those problems with caching the gravatars and the del.icio.us feeds locally, so if the side is down, it won't really affect us, just shows old data.

PS. This is (again) not a bashing against cocomment or BloggingTom or whoever. It was just the perfect example for why you should be careful in including remote JavaScripts (or similar functionality like remote RSS-Feeds) on your site. Both parties did certainly everyting in good intentions, how it is right now on Tom's site is just a bad combination.

PPS. I'm still not convinced by the way cocomment works (collects comments) in general and doubt, that it will work in the longer term. But I'm sure they have some nice ideas in their “stealth mode”, which should improve that. I also had some ideas (before cocomment went public, btw : ) ) of how to make following discussions in comments easier with the help of planet.blogug.ch and list.blogug.ch, but those ideas have their flaws, too, would only be Switzerland centered and most importantly, I don't find the time currently to actual implement it, so I'll shut up for now :)

Update: BloggingTom now turned it off, until a better solution is found.