Do you disable Javascript? Why?

[cubical10]

To those of you who disable JavaScript in your browser, why?

The NoScript add-on for Firefox is ranked as the 8th most popular. So there are many users out there that believe there are benefits, I just want to know what they are. Or is this more of a legacy habit that started a decade

With so much of the content available now delivered via AJAX, do you end up maintaining massive white-lists?

Thanks

[gigafinger]

I've run NoScript for as long as I remember and it's why I've stuck with FireFox for so long. I like to ensure that I'm only allowing trusted sources to run on my PC. Once I visit a site I trust, I whitelist it. Everything is blocked be default, so it can be a guessing game for some embedded content.

[Anarchist]

I also disable scripts and flash. If I need them to run I'll temporarily enable them. If a web-site is one of the few I would consider essential then the permission will be permanent. However as we move towards html5 this bit of control will also disappear. Probably one of the major reason why Apple does not support flash is not their lame excuse about cpu usage but the very fact that they can be blocked which is not a good news for ipad since it is supposed to be a conduit thru which content publishers can sell ads.

[Captain Ned]

I'd like to remind everyone here of Forum Rule #12:

12.) Ad-blocking software: Since advertisements are the primary source of revenue for the Tech Report, all links/hints/recommendations/suggestions for ad-blocking software will be deleted. This includes flash blocking but does NOT include pop-up blocking. Basically, treat ad-blocking like warez where the forums are concerned. Philosophical discussions are okay, suggesting people use it (or linking to it) is not.

Thanks for listening.

[Flatland_Spider]

Javascript used to be used to do some really annoying things, like resize the browser window and take of the context menu. That's gone by the wayside now, so I've let javascript back in. I'll keep running it until something else comes along that annoys me, or it kills the performance of whatever system I'm on.

[cubical10]

I'd like to remind everyone here of Forum Rule #12

So I installed the NoScript add-on, I can see why this triggered the Captains warning. The main affect of disabling javascript is related to ads.
Does anyone have tangible reason related to security?

[redavni]

Does anyone have tangible reason related to security?

Almost every single one of the non-plugin vulnerabilities listed necessitate javascript to exploit. Note the frequency of new vulnerabilities. This is just a partial and delayed listing of what is publicly known.

Internet Explorer
Chrome
Firefox

[SuperSpy]

Pretty much ever since I started using Opera (basically since it became free ware) I've had javascript disabled, and used Opera's site preferences to selectively enable it. Like redavni said, if you disable JS and plugins, there's not much else to exploit in a browser, as very few security issues are normally found in the base browser and rendering engine. It also tends to make browsing extremely lightweight and fast, and removes all the more annoying page 'features' like the stupid pop-over surveys that seem to trigger all too often.

[Dposcorp]

I have never used yet............call me what you will, but I think for all the free stuff the internet provides in entertainment and information, the people behind the sites need to get paid.

Of course, I stick to a certain amount of regular sites, they don't overdue flash/JS, I run a lot of stuff in sandboxes, keep my machines updated, and make regular image back ups, so I have not been hit by anything in years.

[Madman]

I don't use any ad blocking, per se. But I do use flashblock, manly because flash is very CPU hostile, especially on Linux, quite often it consumes whole core, and there are plugin-container related hangs on Windows machine as well.

And yes, HTML5 seems to limit the options to disable automatic playable content.

Then again, I really don't understand why active/hostile/audio enabled ads are used on some pages. This is the first thing that will make sure I will never, EVER, consider the product advertised that way.

[Captain Ned]

Then again, I really don't understand why active/hostile/audio enabled ads are used on some pages. This is the first thing that will make sure I will never, EVER, consider the product advertised that way.

And TR management has been very quick to block the stray ad like that that somehow makes it onto the front page.

[PrecambrianRabbit]

Then again, I really don't understand why active/hostile/audio enabled ads are used on some pages. This is the first thing that will make sure I will never, EVER, consider the product advertised that way.

I have trouble understanding most annoying advertising strategies in general. My wife and I started blocking the video ads embedded in the Daily Show episodes on their website (hopefully this is not against TR policy to mention), because they were just too obtrusive. They were much louder than the show, and they would show the same ad during each break (sometimes multiple times in a single break!). Not to mention the ads that were annoying (Jack in the Box's Jumbaco!) commercial, and for products we'd never buy (no fast food in this household). The last straw was that there were just so damn many of them - four ads per break, three breaks per episode - that it was actively unpleasant to sit through an episode. We stopped watching for about 3 months because of the ads, until we discovered video ad blocking.

Of course, I do entirely support their making money by selling ads, I just wish they'd advertise something that was actually useful to me, or at the very least something non-annoying. You'd think that would be a win-win. I guess I should probably buy their episodes on iTunes...

[Ifalna]

Then again, I really don't understand why active/hostile/audio enabled ads are used on some pages. This is the first thing that will make sure I will never, EVER, consider the product advertised that way.

Agreed. It's stupid practice to annoy your customer to the point that he installs NoAd Stuff and just blocks everything.
As far as Java Script goes: I never really deactivated it, and I don't plan to. I rather take care of what I click on in the first place.
10 Yrs of Internet use and no problems so far.

[Meadows]

I have never used yet............call me what you will, but I think for all the free stuff the internet provides in entertainment and information, the people behind the sites need to get paid.

Philosophy: if you don't block a tree from falling in the forest, but never click it either way, does it still make a profit?

[AntiSp4wn]

JS blocking has to be one of the silliest tech habits in existence. Unlike Flash, this is a native web technology, and THE lingua franca of the web. So many sites, especially fancy/high quality HTML5 web2.0 super-awesome sites, not just rely on JS but are built on it. In the switch from Flash to native technologies, JS is the great enabler. Anyone not using it is not only missing out, but will not be catered to by most web developers at this point (unlike those blocking flash who are catered to with fallbacks, because reasonable ones exist. Yes some fallbacks can be provided, but more and more this is becoming impossible, and in the world of web apps JS is the end-all be-all). These people are a tiny, cringing <2% of users who aren't going to be catered to, who will steadily miss out on more and more of what the web has to offer, who will see ever more broken stuff (and may not even realize what is broken), and they do this all under the absurd banner of security which is just bollocks. Probably the same people who triple-deadbolt their doors and double encrypt their harddrives and have 64-digit randomly generated passwords, under some grand allusion that their personal data carries with it the weight necessary to make foreign governments pour huge sums of money and man-power into cracking into their oh-so-important data (a bank account with $2,500 and some lolcat pictures). But I digress, anyone blocking javascript at this point might as well go back to a text-based browser, they certainly don't care for the modern web because they've blocked the only native client side language that we have. Blocking javascript is little more there paranoia-induced security theater, at the cost of everything the modern web has to offer.

As far as Java Script goes: I never really deactivated it, and I don't plan to. I rather take care of what I click on in the first place.
10 Yrs of Internet use and no problems so far.

Exactly! Behavior matters more to security than anything. It's like installing mega-antivirus ultimate extreme edition on your uncles computer and he still gets a virus. You, without any AV, are trouble free. Blocking one form of content or running everything through an AV cannot save you from yourself. Education and good personal practices will do more than anything to keep you safe. That and an up to date browser.

[Anarchist]

"To those of you who disable JavaScript in your browser, why?"

don't you mean to say;

"To those of you who do not disable JavaScript in your browser, why?"

[Ryu Connor]

Does anyone have tangible reason related to security?

HTML & JavaScript exploits represent the greatest security threat to computing at this time. See Page 7 of this document for a line graph.

Web based Input validation flaws are a major issue plaguing the industry. XSS attacks AKA Cross-site Scripting is the major forms of these attacks. A related cousin XSRF AKA Cross-site Request Forgery is also fun.

[Bauxite]

...once you learn how it really works, you can't unlearn it.

So go ahead, allow javascript from anywhere to run. Heres some: http://jsunpack.jeek.org/?list=1

I mean, you're all patched and safe, nobody ever has widely unknown or unpatched exploits right? That CVE database is just for show!

Keep in mind most of your daily "safe" sites* have flaws that allow attackers to plant all sorts of fun hidden iframes pointing anywhere they want. Plenty of legitmate web two-point-uh-oh sites already load up 50+ domains, whats 1 more?


*running some generic framework thrown together by a random guy that packages a bunch of modules that 5 other guys threw together which all combined had maybe 2 spits worth of vulnerability testing running on a $_/month host with 1000 other identical virtual servers on a super well maintained OS
I like to give them fun names like "wordpress-itis", "drupal" (sounds medical by itself) or "_____ bulletin board syndrome".

[UberGerbil]

Ryu, your sig seems particularly appropriate for that post.

Web based Input validation flaws are a major issue plaguing the industry.

Which gives me another opportunity to link to this.