You can perform analytics almost as well from just the HTTP headers, you don’t need JS at all for fingerprinting, and hijacked NPM modules are probably still present even if there is no JS pushed into the browser.
Basically, each layer of any implementation of the OSI stack will have its own peculiarities. E.g. there's a paper on re-identifying computers via TCP clock drift.
How well they work depends on the amount of effort you're putting in. Since Javascript is easy and offers a very rich attack surface, there seems to be little rain to really plunge the depths of other layers.
Panopticlick did some of this with headers included, their order, and their timing. Which of course can be defeated without much loss of features. Tor Browser being one example
That's great and it's your choice to disable it but his point was don't expect developers that rely on JavaScript to power modern web experiences to develop their site to fit your strict requirements.
JS does way more then just fingerprint users and open up security vulnerabilities. You're in a minority that's asking for fall-backs in a world that's so far removed from simple <noscript> fixes.
Ahahaha come on my guy, effective people get to where they are because they can make good risk/reward assessments. Turning off javascript hasn't been worth the opportunity cost to a "real professional" for decades.
Security researchers and activists in oppressive regimes are professionals. And it's amazing how fast one can end up becoming one when your employer gets badly hacked or your government changes for the worse.
I'm not saying there's no reason to turn off javascript, or that there aren't professions where that's a good default. But it's absolutely not the norm.
> because they can make good risk/reward assessments
Indeed, and I made mine. No ads, not tracking, no risk of malware, no need for virus scanner, high speed page loading (ahem, when it works). Worth it? For me, sure! Peace of mind means a lot to me.
What's so hard about making web pages that don't use unnecessary tech?
There's nothing wrong with it, I AGREE with you that we shouldn't ship 5 megs of some garbage framework with every blog post. The point I'm responding to is that it's somehow reasonable or common for "professionals" to run with JS off, and to not do so is "playing around". It's not. It's a very niche thing that very few people get an actual benefit from.
Nonono, that's not what I said (well, not what I intendeded, I suppose it was ambiguous). "kids playing around, not professionals working" was referring to web designers indulging in their 'web experience' crap at a cost to the users, NOT to those who might run with JS off.
I am a professional, and I primarily browse with it off by default and whitelisted for only a few sites. I do have a JavaScript-enabled browser for user-hostile websites which require it, but I rarely need to use it (and I have real animus against those which force me into doing so).
"...JavaScript to power modern web experiences..."
What the hell are 'modern web experiences'? If you mean unacceptably slow, jittery pages loaded with megabytes of useless crappy data whose only purpose is to spy on users then I don't need them. I always avoid sites like that (and there's plenty more fish in the sea).