[logfromblammo]

All of the web is broken by default, because it is filled with black-hats trying to collect your personally-identifiable information and steal your passwords.

If your web page doesn't work without javascript, you are no longer publishing to the entire world. You are publishing to the subset of everybody who will trust a complete stranger to execute unknown code locally on their own computer--otherwise known as the gullible and the naive.

While it is true that most website authors will not abuse that trust, they may not be entirely responsible for all elements served to visitors, as there may be a compromised ad server, or the website itself might have been subverted without the author's knowledge.

I will often at least temporarily allow scripts to run from the domain I am currently visiting, but if a page is serving scripts from 30 different domains, I may spend some time researching those domains, or simply forget about the page and go elsewhere.

I want my computer to serve my desires, not those of strangers. And I go to the web for information, not fancy layouts.

Also, I sometimes browse over a SSH shell with links, a text-mode browser, and javascript support in that has been suspended indefinitely. Some browsers are simply incapable of rendering images or executing script. You shouldn't ever be tying the core functionality of your website to a user interface, any more than you should make the business logic of software dependant on the GUI.

[sp332]

trust a complete stranger to execute unknown code locally on their own computer

So, what OS do you run, exactly?

[logfromblammo]

I have to pick just one? Windows, Android, Linux, iOS, Wii, Xbox 360, etcetera.

I don't consider Microsoft, Google, Debian, Apple, Nintendo et al to be complete strangers. I don't trust them unconditionally (hence all the rooted, modded, and jailbroken devices in my home), but I do trust that if I do discover malfeasance, that I have some well-established path to seek redress, and that they have the bank accounts, insurance policies, and reputations necessary to make me whole again.

I'm not nearly as trustless as RMS, but I am at least aware enough of the problem to be skeptical even of the software I have actually paid for, and downright paranoid towards everything else. Even the stuff I write myself could be subverted by a compromised compiler or OS. But like the two friends fleeing from the tiger, you don't have to run faster than the tiger to escape; you just have to run faster than your friend.

If someone is likely to be more damaged by breaching public trust and getting caught at it than you are likely to be damaged by trusting them when you should not, you're probably safe to trust them. But then again, even Sony can install a rootkit. You can trust, but remember to verify.

[sp332]

Would you run JS in a sandbox, like Chrome's? Would you run JS from a "trusted" source, like Google's web font loader? Would you run code from a "stranger" that had been vouched for by Google, like angular.js served from Google's mirror?