Originally posted by Cootehill
Javascript is the worlds most secure programming language - it has had exponentially more attacks written for it than any other language.
Very dubious statement there. Yes, the browser security model is heavily tested and there's a strong quality assurance pipeline in place for the major JS engines but the reason for this being the case is that the browser is pretty much the only place where there's even an attempt to take arbitrary turing complete code from an untrusted source and execute it "securely". That's like the hugest attack vector any has ever dreamed of, so for all the heroic effort poured into secure JS execution it's only necessitated by software that's a huge soft target in the first place.
Also the safety of the "language", even when proven formally (which it's not in the case of JS) doesn't change the fact that it's running on browsers written in C++ on OSs with historically imperfect process isolation (assuming process isolation is used between runtimes, which is not true in all browsers) running on hardware that's been on a losing streak with respect to security lately.
Yes, if you're doing something deeply illegal in tor, like bennyvader shit, just maybe, maybe, turn javascript off. Even though I don't know why you would bother with a late version of tor browser.
But for everything else, even white nationalist publications, it's perfectly safe, and doesn't pose a threat. I don't care if weev and dailystormer.name have my IP address. They already have my name and my bitcoin address. And I couldn't care less, I'm more or less open WN, and it's not against the law in Ireland, and if it ever comes up I'll oppose it publicly in the Irish Parliament.
Turning away from a desire for security, performance and useragent restrictions are a huge reason why it's desirable to support nojs scenarios. I post from a textmode browsers that doesn't have a javascript engine for a significant part of my day. Textmode browsers exist, they have advantages, and sometimes they're the only thing available to you. Further, while the level of javascript used here probably isn't going to represent a performance problem for anyone, go try loading a news site and tell me in-browser execution isn't abused to hell.
Here's an empty cache page load from a CNN article with JS on:
and with it off:
Actually I stopped the first one at the load event but it continued loading videos in sequence, it spiked one core up to 100% for like 15 seconds and audio I had going in another browser tab skipped slightly in the process of loading a 6 paragraph news article. Imagine trying to download that shit on a spotty 3G connection with a phone that's 2-3 years old (that's a huge set of users). That's fucking criminal, and allowing users to opt out of javascript puts a huge dent in it.
