[vesinisa]

Just use NoScript if you are concerned. JavaScript allows a large number of other ways to identify you as well. Direct ways of course include cookies / local storage / Web SQL, but other indirect ways include localization preferences, OS / browser / plugin / extension fingerprinting, HID inputs, side channel profiling etc. etc. – some combination of these allows uniquely identifying at least 80% of web users.[1][2][3]

Allowing a site to execute JS in your browser is equal to trusting them, like it or not, and browser vendors are definitely in the business of adding new APIs rather than reducing attack surfaces.

[1]: https://wiki.mozilla.org/Fingerprinting

[2]: https://github.com/Valve/fingerprintjs2

[3]: http://noc.to/

[ErikRogneby]

Might as well say don't use the web. Disabling javascript will break most sites with a few rare exceptions. (like HN)

[vesinisa]

NoScript is not about disabling JavaScript but allowing only white-listed domains to execute JavaScript. Generally, I trust the domains I visit frequently, and have them white-listed. I explicitly block domains of "analytics" and social networking services, since these do not offer me any value-added content.

However, if I follow a link to a domain I have never visited before, I will first see if the content is viewable without JavaScript. Most of the time, it actually is.

But sometimes the content does not render at all or the page layout is broken beyond recognition. Then I'll try "temporarily allowing" executing JS from the home domain of the site (I've noticed most sites these days bundle JS from 5+ domains, most of which are analytics and social networking services). For maybe 80% of those sites that do not work without JS, this fixes the issue and I am able to read the content. Takes maybe 2 secs to temporarily white-list and reload the page.

The rest are generally pages that make assumptions like that the analytics library is always present in the page JS scope and then crash when it is not, leaving the content unreadable because the JS layout code never runs. A quick peek at the JS console when the page is loading generally reveals what is the issue.

Sometimes I just ignore those pages, but if I really badly want to see the content, I can launch an one-off incognito window for the page and have the page execute with all the JS tracking and social network code allowed. This solves any issues for almost all remaining pages. If problems still persist, these are generally pages that are just simply broken – maybe the page only works with some specific browser, like Google Chrome (I use Firefox), to start with.

[lucideer]

If you're using NoScript in the fine-grained manner you describe, and for privacy reasons (not just security), I wonder have you ever looked at uMatrix[0]. Same deal but a bit more performant, and also covers the whitelisting of other privacy-leaking aspects such as cookies, CSS, tracking pixels, iframes, etc.

[0] https://github.com/gorhill/uMatrix/wiki/FAQ

[vesinisa]

Thanks, looks very interesting.

[anc84]

It's actually quite the opposite. Most sites will become lightning fast and distraction free.

[beeboop]

I have use NoScript consistently for years and I disagree with you. Essentially the only thing NoScript does is make it so when you haven't visited a website before, it doesn't automatically trust it. For the most part every single website I go to needs to have JS enabled for anything to work beyond just reading content.

And even then, I would say 70% of the time, some critical piece of content on a website does not work with JS disabled, be it images or text or video or etc.

[barrkel]

I disable JS on my phone, and I disagree with you: the vast majority of the text content web is perfectly readable without JS.

If you want to watch video, you're out of luck. If you want to use a web app, you're out of luck. But if you just want to consume text content, the majority of the web just works, and a lot faster too.

(I've never been able to get NoScript to work right, it's always given me problems. Perhaps part of the problem is NoScript?)

[anc84]

> For the most part every single website I go to needs to have JS enabled for anything to work beyond just reading content.

What percentage of websites is that though? Of course it depends on your browsing habits if it is feasible or not. I don't click social media stuff, I participate only if I really want to or if I am part of a community.

The majority of sites I visit are either regular revisits (rules are easily set up then) or random browsing where security & privacy by default is good.

I never used NoScript but am a bit uMatrix fan. There I can easily allow things. NoScript looked super complicated.

[vacri]

I've been using NoScript for years as well, and I have to disagree with you. Now that NoScript auto-permits the base domain (which you can switch off), I don't have to do much manual permissioning. There's the occasional bit, but really, 70% is a ridiculously high estimate.

Then there's the occasional 'funny photo' site which won't work until you enable 15 different sources - in which case, I just pop open Chrome if I really want to see that funny photo.

[danielweber]

And then starts the crazy hunt for the one thing you need to turn on to make the page work.

I was trying many years ago to create a public DB/wiki telling us which things we need to turn on to get the page to work, but it got abandoned before I really started.

[anc84]

That sounds super annoying. I don't know how cumbersome NoScript is but with uMatrix (or even RequestPolicy) things are easy.