Yes, Javascript is used all over the web, but I find that in almost every case it is unnecessary. I use Noscript, and have a pretty small whitelist, comprising mostly just my bank, some webmail sites, and one or two travel ticket booking sites that just don't work at all without it. I temporarily whitelist quite a variety of sites whose functionality is enhanced by scripting, but only on those occasions when I actually need that extra functionality - and taking that moment to click on the Noscript icon to do the temporary whitelist really doesn't slow me down.
One example is the BBC news website, which runs at least twice as fast with scripting disabled - so I keep scripting blocked there except when I actually want to watch the video associated with a news story.
Facebook stays disabled except on those rare occasions when I actually venture into that cess-pit; I believe (not sure) that this preserves me from most/all of those attempts by Facebook to follow me round the Web ("Like" ... "Share this" ...).
And all those tracker sites of which I'm aware (doubleclick, google-analytics, 2o7, etc.) stay on my Noscript 'Untrusted' list.
All the forums I use regularly work just fine without scripting, albeit sometimes with a slightly clunky look'n'feel. Often a site's 'search' facility just reports "No hits" unless scripting is enabled, but I'm blessed if I know why. So on the rare occasions when I need to search the forum, I temporarily whitelist. Easy, quick.
[BTW: I've authored plenty of websites with a search engine integrated, and scripting is just not necessary (at least with Ht://Dig).]
There is just no need for scripting in the vast majority of cases - genuinely Web 2.0 sites excepted. I reserve a special level of contempt for sites that implement links with Javascript.
I accept that large efficiencies of content data transfer are obtained when AJAX is used nicely (page components updated in situ instead of a complete retransmission of the entire modified page). However, as a capable security-minded sysadmin I'm also aware of that fundamental security adage: "If you let a Bad Guy run His program on Your computer, it's not Your computer any more", ((c) Microsoft). Javascript functions are programs, so to allow all websites to run Javascript on my computer is an act of faith that :
- 1) The site administrator is not a Bad Guy
- 2) The site administrator is competent enough to author and/or run the webserver platform in a sufficiently secure manner that it never gets broken into by a Bad Guy and infected with a silent drive-by malware download.
I'm afraid I just don't have that level of confidence in the abilities and motivations of all 5 Gajillion website sysadmins out there - and they not only have to be that competent, but also remain that competent 100% of the time. Heh.
I run without scripting enabled, I enjoy a significantly faster and more ad-free web experience, I visit all kinds of murky parts of the Web :), and it's literally years since any PC of mine acquired an infection - unlike the army of friends and relatives whose PCs I'm regularly called to disinfect. Sadly, I accept that most Ordinary Folks just cannot get their heads round this stuff, and are completely fazed by the idea of having to "authorise" anything that ever happens on their computer. This, my friends, is Our Fault - we should not have engineered a WWW that functions so dangerously.
- Dialog Box (n):
A small window containing an 'Ok' button, a 'Cancel' button, and some text that the user will ignore.
You know that almost all drive-by downloads (apart from those that target buggy embedded document viewers) exploit a flaw in the DOM that requires Javascript to leverage, right ?
