[anthk]

Sorry, but you are wrong. GNU people won't run nonfree JS at all.

LibreJS is a good example in order to kill any potential Spectre/Meltdown attack. There is no attack when no code is being run.

[kaba0]

At that point why just not power off their machines? That 3 websites that has “free js” is almost as useless as a brick. Also, free software in itself never protected against security vulnerabilities, many eyes is a fallacy.

[anthk]

You are really wrong, a lot of services (specially news) work either without JS or have a libre alternative, such as Twitter/Nitter, or Reddit/Teddit.

[beermonster]

I use NoScript and I find very few sites that are really broken if I don't enable JS.

[kaba0]

Your and mine definition of very few sites must be different than.

Can you buy anything at all on the internet?

[anthk]

Amazon not so long ago worked without JS, or Ebay, I can't remember.

[XMPPwocky]

"LibreJS is a good example in order to kill any potential Spectre/Meltdown attack. There is no attack when no code is being run."

If attackers who cannot add a comment to their exploit are in your threat model.

Personally, I've been using a browser extension that blocks JS unless it has a comment reading

> This code is NOT evil or malicious!

at the top. Haven't been hacked yet!

[marcan_42]

> There is no attack when no code is being run.

https://9to5mac.com/2021/03/11/browser-based-attack-affects-...

Turns out you don't need Turing completeness to perform microarchitectural side channel attacks. This is yet another way in which the "all my software is free, therefore I am safe from attacks" fallacy breaks down.

Nevermind that, as pointed out by other replies, LibreJS provides zero security. It relies on scripts voluntarily declaring that they're freely licensed, and if they do, they're allowed to run. The extension doesn't care whether the script is malicious or not.

[anthk]

Dillo has a nice CSS-less rendering. Also, Links+.

I am still safe.