[cs702]

By default I have JavaScript blocked on all sites, allowing it only as needed, case by case, because JavaScript is a remote-code-execution vulnerability of modern browsers.

More and more of the applications we use and our private data live in the cloud. We now access our personal files, manage our bank and investment accounts, and make retail purchases on our web browser.

Browsing the web with JavaScript enabled by default allows code written by complete strangers to run on your browser!

[driverdan]

This shows a general lack of knowledge about how JS and websites work. I can't just run JS on my site that will steal your bank info. Browsers have cross domain security policies to prevent this.

There have been various vulnerabilities (especially in IE) but just like any other software they get fixed.

[cs702]

driverdan -- by your logic, it would be OK to give perfect strangers remote-shell access to one's computer, so long as one takes all the precautions necessary to protect sensitive files and prevent them from gaining root access.

Leave aside the various vulnerabilities (including cross-site-scripting ones!) that get discovered with disturbing frequency, and please consider the subject of this thread: it's possible to make someone click a "Like" button without their realizing it! How many other similar tricks can JavaScript be used for by people with nefarious intentions?

No matter how "safe" any runtime environment is, allowing strangers to execute arbitrary code on your computer is never a great idea.

This is why I allow JavaScript code to run on my browser only when it comes from sources I trust.