[nolist_policy]

IMHO, NoScript is bad because it discourages you from browsing new sites. As you usually need to first spend 1 minute in the NoScript UI to get the site working.

This also makes it very impractical for day-to-day usage i.e. quickly googling something.

[bee_rider]

Without NoScript, I need to trust a site well enough to download and run programs from it, in order to check it out. With NoScript, I can at least try to use a site.

[DecoySalamander]

Without NoScript you trust your browser's sandbox to handle whatever arbitrary code is thrown into it. Same as with NoScript, really.

[nolist_policy]

And how exactly do you establish trust?

At that level of paranoia you should use a separate device. More secure and, more importantly, more time saving. It will pay off in no time.

Or perhaps use an operating system that provides stronger security guarantees like QubesOS or ChromeOS.

[bee_rider]

If you just browse a site for a little while you can see that it’s a real website, and get a general impression of the place. The set of sites that are both useful, and require JavaScript, is pretty small anyway. So, it isn’t a big loss.

> At that level of paranoia you should use a separate air-gapped device. More secure and, more importantly, more time saving. It will pay off in no time.

This is not a real suggestion, it is an attempt to make my easy middle-ground solution sound ridiculous and impossible by comparing it to something silly like air-gapping my computer. I’m not going for some unattainable perfection. I think the reason people bring this out is that they are uncomfortable with the fact that they are being careless and they want to make even the slightest bit of self-defense sound incomprehensible difficult.