Here's another way of looking at it: Does this page really need to execute code on its users' machines? Why is this such an acceptable thing in the first place?
> Why is this such an acceptable thing in the first place?
Because before we had local desktop applications that were substantially less secure, with far greater default access rights (even root/admin in many cases).
Webapps that execute in a silo-ed virtual machine with only access to their own data (without express permissions), is a substantial security improvement (and also doesn't require the user to install anything).
To be honest the people who want to visit a website, for free, and then insist on how that website is delivered are super entitled. If you don't want to execute a site's code in a browser's secure context then don't, but you cannot whine about it like they owe you.
"To be honest the people who want to visit a website, for free, and then insist on how that website is delivered are super entitled."
This is a very poor argumnet - stealing data is a crime.
Why should people accept being victims of robbery just because they are in a free library or music concert?
Secondly, many websites have a paid plan - OneDrive, Xero, Flikr, LinkedIn, YouTube, etc. This is a terrible attitude: "I gave you candy for free, so don't complain if it's poisoned"
That’s a bit warped of a comparison - 99% plus of website JS isn’t a poisoned Apple that will cause some kind of real harm.
That (in your analogy) everyone giving candy on Halloween provides a potential threat vector for a serial killer to occasional slip one in is them taking advantage of an ecosystem that everyone desires, not a malicious act from everyone giving out candy.
> No, the site owner is usually gaining money from his users (through ads, tracking, etc). This is an incredibly dishonest statement.
Which you're purposely trying to avoid by disabling JavaScript, thus mooching and demanding that they design the site around your niche desires.
NoJs users are negative revenue users. They cost the same as a revenue user but block revenue streams. Then feel like more resources should be spent on just them.
You're then asking businesses to pay to place ads that you cannot assure them were actually viewed by anyone. It can work, but companies will pay more for ads that can prove they were even rendered let alone uniquely.
Many business models don't work with reduced revenues, thus you can embed ads in content, take the lower revenue, but then need to structure your business around the lower total revenue.
Typically, when businesses have goals like these they end up instead just doing a membership model wherein it is ad-less but the users/audience is paying them directly for content production.
Because before we had local desktop applications that were substantially less secure, with far greater default access rights (even root/admin in many cases).
Webapps that execute in a silo-ed virtual machine with only access to their own data (without express permissions), is a substantial security improvement (and also doesn't require the user to install anything).
To be honest the people who want to visit a website, for free, and then insist on how that website is delivered are super entitled. If you don't want to execute a site's code in a browser's secure context then don't, but you cannot whine about it like they owe you.