[SquareWheel]

Ultimately then Javascript becomes useless, because 95% of clients will not have it enabled. This is why we have sandboxing, and very high browser bounties for any exploits that allow you to leave that sandbox. Is it perfect? Nope. But it's the best option to move forward safely in the web without going back in time 20 years.

[hobs]

I have JS turned off by default. Why?

Most of the web works fine, it does not break most sites the internet.

JS can be used to just do annoying crap, play sounds or videos, etc. I can choose to mute my entire browser or I can choose to not run JS on new sites until I approve of them. (This used to be more important before patches for js moving browser windows and the like)

While most JS wont break out of the browser in most cases, what you can do within the browser to determine where you have been, who you are, and (if you visit samy.pl) things like enumerating your local network or running a bitcoin miner with JS are possible.

[JadeNB]

> Most of the web works fine, it does not break most sites the internet.

While I agree with you in spirit, this doesn't seem to be true in practice. I also browse with JS turned off by default, and, in general, whenever I visit a new site, I often find it blank, or completely illegible. After allowing JavaScript for that site, I then often have to play a guessing game of what CDNs or other external resources I have to allow before anything will display. (For example, I was able to see weather on weather.com—hardly anyone's idea of a good Internet citizen, but the first one that springs to mind—simply by allowing JavaScript from their domain; but had to guess around quite a bit before I could get the settings icon to display.)