[Someone1234]

> Why is this such an acceptable thing in the first place?

Because before we had local desktop applications that were substantially less secure, with far greater default access rights (even root/admin in many cases).

Webapps that execute in a silo-ed virtual machine with only access to their own data (without express permissions), is a substantial security improvement (and also doesn't require the user to install anything).

To be honest the people who want to visit a website, for free, and then insist on how that website is delivered are super entitled. If you don't want to execute a site's code in a browser's secure context then don't, but you cannot whine about it like they owe you.

[ClumsyPilot]

"To be honest the people who want to visit a website, for free, and then insist on how that website is delivered are super entitled."

This is a very poor argumnet - stealing data is a crime.

Why should people accept being victims of robbery just because they are in a free library or music concert?

Secondly, many websites have a paid plan - OneDrive, Xero, Flikr, LinkedIn, YouTube, etc. This is a terrible attitude: "I gave you candy for free, so don't complain if it's poisoned"

[lazide]

That’s a bit warped of a comparison - 99% plus of website JS isn’t a poisoned Apple that will cause some kind of real harm.

That (in your analogy) everyone giving candy on Halloween provides a potential threat vector for a serial killer to occasional slip one in is them taking advantage of an ecosystem that everyone desires, not a malicious act from everyone giving out candy.

[hyproxia]

>for free

No, the site owner is usually gaining money from his users (through ads, tracking, etc). This is an incredibly dishonest statement.

[Someone1234]

> No, the site owner is usually gaining money from his users (through ads, tracking, etc). This is an incredibly dishonest statement.

Which you're purposely trying to avoid by disabling JavaScript, thus mooching and demanding that they design the site around your niche desires.

NoJs users are negative revenue users. They cost the same as a revenue user but block revenue streams. Then feel like more resources should be spent on just them.

[cudgy]

Why is Javascript required to show an ad? Embed the ad in the content.

[Someone1234]

> Embed the ad in the content.

You're then asking businesses to pay to place ads that you cannot assure them were actually viewed by anyone. It can work, but companies will pay more for ads that can prove they were even rendered let alone uniquely.

Many business models don't work with reduced revenues, thus you can embed ads in content, take the lower revenue, but then need to structure your business around the lower total revenue.

Typically, when businesses have goals like these they end up instead just doing a membership model wherein it is ad-less but the users/audience is paying them directly for content production.

[yehaaa]

If the ad is an image and it’s been fetched from the server then it’s reasonable to assume it’s been viewed no?

[lazide]

Generally no, as botnets can and do trivially spoof that kind of activity to burn competitors ad budgets or generate more revenue for the ad networks or websites.