[dmm]

>everyone has JS enabled.

Using an addon like NoScript it's possible to selectively enable javascript per domain. When a website doesn't work without js I am forced to decide whether it's worth enabling js for this site. Very often I decide it's not worth it and I never use that site again.

[spdustin]

You and I both. Remember, however, that you and I are not a representative sample of the general population of web users.

[andrewflnr]

That would be meaningful if we were talking about some optional UX feature, but this is security. Does having a non-representative browser config mean we don't deserve security? I think not. Security has to work without JS.

[spdustin]

Why wouldn't it just <noscript> an input field to enter the token

[zeveb]

And I hate it when a site is loading JavaScript from a large domain, e.g. cloudflare.com; generally I just close my browser window and view something else.

No way am I going to allow JavaScript from every single site using CloudFlare to run all at once.

[grimmdude]

Can I ask your reasoning in doing this?

[mikegerwitz]

When your browser runs JavaScript, it downloading and automatically executing untrusted, unsigned, ephemeral code. Even if the site is over SSL, only the _party_ is validated---the resources themselves are not signed.

If your browser instead presented the JavaScript as a program itself, and listed the programs it executed, and from what sources, users would have a wholly different perspective. JavaScript has the illusion of remote execution; most users don't think of it as executing programs on their computer.

Addons like NoScript are essential security precautions that mitigate a host of attacks. Unfortunately, even security-essential software like the Tor Browser Bundle leaves JS enabled by default because it'd "break" the web.

There's other reasons---as a free software user and activist, I won't run non-free JavaScript programs.

I gave a talk earlier this year about these problems and some ideas to solve them: https://media.libreplanet.org/u/libreplanet/collection/resto...

[marklgr]

Why should we trust any website and execute their JS code on our machine? What about privacy, if they decide they can track us and sell the information to whoever they want? And even if they're "legit", what about the 3rd parties they might trust wrongly?

[Biganon]

Honest question : what harm could possibly be done by Javascript?

[zeveb]

Remote code execution for one: https://oreoshake.github.io/xss/rce/bugbounty/2015/09/08/xss...

[Crespyl]

What's more, rowhammer can be done from js: https://github.com/IAIK/rowhammerjs

[theandrewbailey]

I come to a website to read it, not for it (and who knows what else) to execute code on my machine, no matter how deep into the sandbox it is. If I want to watch the video and allow it to use my data, I will explicitly allow it.

[derivagral]

I personally do this for some combination of privacy, security, and ad blocking.

[tomjen3]

Gets around all the anti-ad-block websites and it is much, much, much faster.

Sadly doesn't work in Chrome.