Felgall,
A simple phising attack which works with JavaScript enabled, and doesn’t work with JavaScript turned off. The page is only a demo and won’t harm your computer in any way.
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
Some people think it’s a security risk. Others dislike many of the ways JavaScript is used (pop-up windows, resizing the browser window, etc.) and so choose to disable it.
There are also some platforms that simply don’t run JavaScript, such as some mobile phone browsers or very old or text-only browsers.
I imagine that that’s the reason for most people that are using a browser that has javascript capability. Maybe some disable it to cut down on bandwidth to speed up load in. The only time I disable it is to test my own pages to make sure everything works OK without it. If I’m suspicious of a site’s javascript, I don’t visit the site. Seems foolish to visit dubious sites with javascript off in an attempt to be safer.
Many people with disabilities will browse with JavaScript disabled, because accessibility tools like screen readers don’t yet deal very well with the dynamic changes to page content, and because many JavaScript-powered sites fail to correctly support keyboard navigation.
I have JavaScript disabled by default, mainly because it’s so often abused for annoying ‘effects’ on websites. (That’s why I also disable animations, sound and plug-ins.) It’s also often used to insert advertisements.
If a trusted site provides added value via JavaScript, then I’ll enable it in the site preferences for that site in Opera.
On slower computers/internet connections, I’ve noticed extreme improvement in “speed” when disabling javascript. Some websites get a bit too carried away with number/size of external scripts, and what types of things those scripts do.
Just adding to the above valid claims, another reason people disable JavaScript is to simulate the effect search engines get when indexing a website (to see if any auto generated content will be lost in the index). While it’s getting less of an issue as spiders get smarter it’s still a major issue that search engines are generally unable to index content generated through a script (though as I said this could be on the change). Of course there’s also those who test with JavaScript disabled, being unobtrusive means that you need to ensure your site will function with it all “barebones” so people often turn off the scripting capability “on-demand” to do such testing. While this may not sound like “general web browsing” much of your traffic is referred from search engines and usability testing is often a vital part of website maintenance and improvement… that and your only simulating what many of those above will see on a full time basis! 
Do you want to bet? 
So I’ll just abandon those poorly written sites and go to a competitor who knows what he/she is doing. :tup:
Slightly overpriced, in my opinion. 
It must be a bit of a trade off if whatever site it is uses AJAX to only reload what is necessary. With JavaScript disabled you’ll be loading the whole page many more times.
Just to expand on this: the idea that lots of keyboard navigators have JS off is no excuse for making sure it actually still works! It can be really easy to fall into the trap of assuming that your accessible fallback is going to kick in.
And anyway, it turned out that a large majority of screen reader users surveyed by WebAIM actually have JS on, or don’t know if it is on (I’d punt and say if they don’t know if it’s on, it’s likely to be on).
http://webaim.org/projects/screenreadersurvey2/#javascript
BTW: you might enjoy Kevin’s post on keyboard-friendly JS.
I’m not sure what you mean by “malicious intent” and how turning off Javascript could enable that…
There are many reasons why Javascript functions may not be available.
- Some browsers, particularly mobile devices, don’t support Javascript at all, or may only offer a limited range of functions
- Some people choose to turn Javascript off as it could potentially be a security risk
- Some corporate networks block Javascript, either completely or by disabling certain functions, for reasons of security, performance and managing usage
- Clever web users running Opera can disable certain features, such as window resizing, that they find irritating and obstructive
- Some people, particularly those with older/slower computers, may find that Javascript can impair their machine’s performance and turn it off for general browsing
On my old computer, there were several websites I visited that abused JS for a range of unnecessary, intrusive and memory-intensive “features”, and for a while I did turn JS off for general browsing because of this, activating it only when needed for trusted websites.
Remember, some people don’t have a choice about whether they run Javascript!
Correction: In my third sentence above I meant to say YesScript And JavaScript Options. I left out the word Options.
Security is a big reason javascript is turned off. Just read some of the comments about the NoScript add-on for Firefox.
NoScript in Firefox blocks javascript and other code. Today the Mozilla website says that NoScript has 280,658 weekly downloads. (I’d say that’s a popular add-on, huh?)
Mozilla also lists other add-ons that block javascript, such as YesScript and JavaScript.
I haven’t used either of these. But I have used NoScript, and it is an easy way to turn off javascript and other code.
Only by those who don’t know better. There is a great deal of security actually built into JavaScript itself - so turning JavaScript off does not actually make your browser any more secure than it is with JavaScript on. (At least any difference in security between JavaScript on and off is so small that just about any other change you make to your computer will have a much greater effect.
You gain more security by uninstalling the noscript plugin from Firefox than you do by turning off JavaScript.
Eh? How do you work that out?
Just as an example, there was recently a big security vulnerability reported (as of yet unpatched) regarding the way that browsers handle Adobe Flash objects.
http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html
NoScript blocks Flash as well as javascript and by simply having this extension enabled one is immune from this particular vector of attack. If you watch the video on the link above, these guys also recommend it.
Anyway, just to add my two cents worth, I have javascript disabled by default. This is mostly in order to block the aforementioned annoying ‘effects’ on websites and the advertising too.
If a credible website requires javascript so as to function properly then I can allow it.
IMHO it makes browsing the web so much more pleasant.
I would would also like to hear an explanation why you think uninstalling NoScript is better for security. I was thinking of installing NoScript on a newer computer so any explanation you give would be helpful.
There are a few comments at Mozilla that do concern me. Read the first three pages of comments about NoScript.
One comment notes:
It’s a useful plugin, but don’t trust it blindly - some sites are automatically added to the whitelist without any question. Be sure to check the default whitelist and remove sites you don’t know/trust.
Another comment says:
Most of us select our privacy guardians with much fear. We need an outside (of the industry) group to vet the sourcecode. It’s in my kit, but I’m still afraid which side anybody is on these days.
Finally, another comment notes:
On the one hand NoScript provides a lot of safety, on the other hand the developer seems to want to tread or cross my line of trust…
However, a great majority of comments about NoScript are positive. Any thoughts on this?
Anything you install as an extension has far greater access to your computer (and hence is a higher security risk) than anything running within JavaScript.
I am not suggesting that the noscript extension is a security risk but since it potentially has more access to your computer than any JavaScript code can ever have then there is a possibility that poor coding in the extension itself could create a security issue whereas JavaScript is locked down so that you cannot interact outside the web page at all without the browser owner’s permission and hence it iis impossible for it to become a security risk without hacking the browser itself.
So basically it is the difference between 0.000000001% chance of security issues in JavaScript compared to 0.00000001% chance of a security risk with an extension.
If you specifiically want to be able to turn JavaScript off then you are safer using Opera where the option is built into the browser and doesn’t need you to install anything from a third party.
The functionality of those firefox extensions that you are talking about is just to enable and disable javascript? I’m asking because firefox already provides this functionality:
Tools -> Content -> Enable Javascript checkbox
I use NoScript too–and AdBlock. I’m always shocked by the bombardment of advertising when I use a browser without these plug-ins. I install them for security reasons, but also because the fluff is just plain annoying.
I always have my Javascript turned on in my browser. With all of today’s fancy dynamic web apps, you simply can’t “not use” Javascript. If you turn off javascript, half the sites you visit will be unusable. Just my two cents.