If you develop web-sites, be sure their basics work without JavaScript, as JavaScript is a security risk
Posted by jpluimers on 2025/12/18
I have had JavaScript disabled by default for years now, which means that:
- if your site requires JavaScript, I will opt for an alternative
- I will block anything ad related, even if it means I cannot use your site
The reasons are simple:
- JavaScript has become a big security threat over time. Be it tracking (hello fingerprinting!), data leakage, direct attacks, supply chain attacks, sloppy code or other risks, JavaScript is not vulnerable just by itself, but especially the eco systems (hello npm – 2 attacks in September 2025 alone – and advertising networks) using it. Just a few references:
- [Wayback/Archive] The perils of JavaScript: How we’ve broken the internet’s security
- [Wayback/Archive] Most Common Security Vulnerabilities Using JavaScript – SecureCoding
- [Wayback/Archive] Supply Chain Security Alert: Popular Nx Build System Package Compromised with Data-Stealing Malware – StepSecurity
- [Wayback/Archive] Wormable Malware Causing Supply Chain Compromise of npm Code Packages – Arctic Wolf
- [Wayback/Archive] FingerprintJS | Identify Every Web Visitor & Mobile Device
- JavaScript has become a huge resource hog. Disabling JavaScript by default increased the snappiness and battery life of my laptops and smartphones significantly. In addition, it makes it way easier to read region-blocked content. Double win!
The below thread by [Wayback/Archive] Dr. Christopher Kunz (@christopherkunz@chaos.social) – chaos.social sparked me to finally write why and add some relevant links.
Thread:
- [Wayback/Archive] Dr. Christopher Kunz: “Whoever launched the UK MI6’s portal …” – chaos.social
Whoever launched the UK MI6’s darknet portal has obviously not read any opsec tutorial in the actual darknet, ever.
Apart from the only source for the .onion seemingly being manually copying it from a Youtube video (a platform that is banned in many countries), this is what greets me when visiting the site.
If you want security aware darknet users to submit to your portal, make it work without JavaScript. Which is hard if you develop said portal in React.
Excerpt of a browser window, showing that the .onion address for the MI6 portal requires Javascript to run.
- [Wayback/Archive] Dr. Christopher Kunz: “Whoever launched the UK MI6’s …” – chaos.social
For reference, this is how it _should_ look. This is our SecureDrop instance at “heise investigativ”, reachable only via
ayznmonmewb2tjvgf7ym4t2726muprjvwckzx2vhf2hbarbbzydm7oad.onion
A screenshot showing a browser security warning on heise’s SecureDrop site.
Note: this is the *heise investigativ*. They provide various means of contacting them, see [Wayback/Archive] heise Investigativ
His post a few days earlier is also very important to remember: [Wayback/Archive] Dr. Christopher Kunz: “To whom it may concern: It is …” – chaos.social
To whom it may concern: It is very kind of you to send me unsolicited malware and phishing samples. However, would you kindly postpone such activities to the weekend so the subsequent malware analysis doesn’t distract me during work hours? Thank you for your attention to this matter.
Via my post last week: Wat notities over het CDN wat de NPO gebruikt voor podcasts.
--jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment