I have had JavaScript disabled by default for years now, which means that:
- if your site requires JavaScript, I will opt for an alternative
- I will block anything ad related, even if it means I cannot use your site
The reasons are simple:
- JavaScript has become a big security threat over time. Be it tracking (hello fingerprinting!), data leakage, direct attacks, supply chain attacks, sloppy code or other risks, JavaScript is not vulnerable just by itself, but especially the eco systems (hello npm – 2 attacks in September 2025 alone – and advertising networks) using it. Just a few references:
- [Wayback/Archive] The perils of JavaScript: How we’ve broken the internet’s security
- [Wayback/Archive] Most Common Security Vulnerabilities Using JavaScript – SecureCoding
- [Wayback/Archive] Supply Chain Security Alert: Popular Nx Build System Package Compromised with Data-Stealing Malware – StepSecurity
- [Wayback/Archive] Wormable Malware Causing Supply Chain Compromise of npm Code Packages – Arctic Wolf
- [Wayback/Archive] FingerprintJS | Identify Every Web Visitor & Mobile Device
- JavaScript has become a huge resource hog. Disabling JavaScript by default increased the snappiness and battery life of my laptops and smartphones significantly. In addition, it makes it way easier to read region-blocked content. Double win!
The below thread by [Wayback/Archive] Dr. Christopher Kunz (@christopherkunz@chaos.social) – chaos.social sparked me to finally write why and add some relevant links.
Thread:
The Wiert Corner - irregular stream of stuff 