[mikegerwitz]

This concern applies to any JavaScript: your browser is automatically downloading and running untrusted software on your computer without prompting you.

Even if you enjoy having JavaScript enabled for many sites, something like NoScript is still a good idea---it at least gives you a chance to question whether it's needed at all, or verify what it's doing yourself.

[ljk]

sometimes noscript notifites about domain names that leads to nothing when I google it/go directly to it... how do you know if a site is legitimate?

[mikegerwitz]

If you're not a JavaScript developer, that's not so easy to do with NoScript, unfortunately, because you'd have to allow the file to load, or pause it with a debugger, to see what is actually going on. Some scripts are also loaded at runtime.

LibreJS will list every script and its contents if it's not marked with a free license, but since it will refuse to execute it, it will not load anything that is dynamically loaded at runtime. But a malicious script could just mark itself as free to get around that.

It's a bad situation all-around.

[seanp2k2]

Yes, and given the prevalence of javascript in 2015, I don't see this as a practical option at all for actually using the Internet.

Chrome canary + uBlock *uMatrix (which lets you allow images / scripts / css / XHR selectively per-domain) is about as much as I can stand to maintain.