Are they right, Sup Forums?

You allow the scripts that are required for the site to function.

and how do you know that the malware scripts are embedded into the scripts that also make the site function?

are not*, obviously

99% of all tracking/ads scripts are loaded from a third-party domain so if you want to minimize your work then you can allow first-party scripts by default. There's also this nice addon so you can have JavaScript enabled but disable parts of it.
addons.mozilla.org/en-US/firefox/addon/webapi-manager/

You say a little prayer and hope that they're not.

you're face to face with an autist however

One thing to add about allowing 1st party scripts by default would be that if you ever end up on a compromised/malicious site by accident, you would not be protected against shit running by default.

I love how Sup Forums always forgets js is sandboxed in the browser and it can't just access anything native like storage or processes

I'm not a js blocker, but still
>what are exploits

why not open a repository on github and upload audio there?

At least the owner is on point.
However, it is possible to do that w/o JS, just through a button.

Right, I keep forgetting how complex software on the order of millions LoC never ever has any bugs.

>running random scripts through your browser
No. They are faggots, just use something else.

yes they're right.
>/nr/

owo

Wouldn't that require the user to press a button repeatedly or something? CSS/HTML aren't Turing complete yet (although I'm sure they'll manage to fuck that up in the near future) and still require repeated user input to continue running last I checked.

>inb4 CSS/HTML implementation of Spectre as a variation of Cookie Clicker or similar browser games

Don't use mixtape, it's shit. Ultra slow servers that 90% of the time won't actually establish a connection.

>Literally just a file-select component
>Standard in HTML since 1995

Webshits can't figure out how to do literally anything anymore without installing some javascript library to do it for them.

CSS3 is Turing complete

There is no technical reason that a file picker would ever require JS. It's most likely just the dev's attempt to trick users into allow their analytics/adsense trackers so they get paid

>CSS3 is Turing complete
No, it's not. I've seen the demonstration and it doesn't run itself and instead only advances every time the user clicks something. That's not Turing complete.

This is why the whole block all JS movement is a meme

If it was up to Sup Forums we'd all be cruising plaintext websites written in haskell.

Yes
That was there since the original pomf.se

Unless they redefined Turing completeness recently, it's still turing complete. Unless you think no language is turing complete because it requires that the computer remain powered to process the next instruction?

If it's just some random website I just leave. If I think I can trust it I allow some JS. Better than running all JS by default.

From Wikipedia:
>The machine operates on an infinite[4] memory tape divided into discrete cells.[5] The machine positions its head over a cell and "reads" (scans)[6] the symbol there. Then, as per the symbol and its present place in a finite table[7] of user-specified instructions, the machine (i) writes a symbol (e.g., a digit or a letter from a finite alphabet) in the cell (some models allowing symbol erasure or no writing),[8] then (ii) either moves the tape one cell left or right (some models allow no motion, some models move the head),[9] then (iii) (as determined by the observed symbol and the machine's place in the table) either proceeds to a subsequent instruction or halts the computation.
>(iii) (as determined by the observed symbol and the machine's place in the table) either proceeds to a subsequent instruction or halts the computation.
The CSS3/HTML demonstration can't achieve iii since it automatically halts until the user manually restarts it by clicking another box.

uMatrix with only 1st party css and images on by default, and then exceptions for the sites you most commonly use and quick cheeky uMatrix desablings (or better yet, specific cookie and/or css and/or images and/or js, etc) for sites you're only using for 5 minutes or less. And you also install uBlock so whenever you temporarily disable uMatrix on a site, you're still not hit by ads.

It's a bit cumbersome while you get used to it, but you're at least not getting fucked so hard. I went full paranoid a few years back when fucking news sites were turning my webcam on for a fraction of a second, which I assume means they were taking pictures. Fuck that shit.

I used Noscript to block JS when on a low spec machine, worked great. Honestly it's the only reason to disable it these days as long as you have an adblocker :^)

This is fucking hilarious.

>software is buggy so therefore javascript must be a virus!

gnu.org/philosophy/open-source-misses-the-point.html

get a new picture fuck that ones seven years old

JS can access a lot of on disk stuff though (like parts of your hard drive and your camera, with browsers now allowing notifications,) and it+server side scripting can do damage under the right circumstances.

post JS that accesses my hard drive or camera without my explicit permission

webcamjs

As for the hard drive, sure, you need to give permission, but that's what social engineering is for.
nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/

>webcamjs
See pic related. So by "the right circumstances" you meant "if the user explicitly chooses to allow it".

Or flash.

>what is xss

not only does flash also require user permission, running js does not mean you have to also run flash applets.

are you fucking retarded? xss still triggers the permission dialog.

>flash also require user permission
encrypted.google.com/search?q=flash webcam exploit

so the best you have is a patched flash exploit? this is supposed to convince me JS is a problem?
wow.

>a

But anyway, go ahead and use all the javascript you want then.

okay? seriously this is a hilariously weak fucking argument. you do understand that you can just not run flash and still run JS, right...?

>and how do you know that the person you unlock your door for isn't going to shoot you when you open it?
>This is why the whole lock your door movement is a meme

Your shit logic goes on and on

Depends on how the flash element is instantiated. Have you ever webdevved in the least? Because it sounds like you're only going from final user experience.

In which case, please, feel free to send those $1000 to the african prince.

trusting some shittier file sharing site with my java

post flash applet that runs without my permission

>running an applet in the browser
>ever
lmao fucking kids here too young to remember IE

You've already been given enough links and keywords to get it yourself. But here's an XSS one.
klikki.fi/adv/flash.html

>hurr patched
Yeah, you always keep your flashplayer.so up to date. And so does everybody else in your family. And there's no such thing as a zero day.

>no proof
>untestable
>from 2015
>find the proof for my argument yourself
Wow you're really convincing me here.

>you always keep your flashplayer.so up to date
All modern browsers do this by default.

You can also just disable Flash entirely and still run JS, so this is still a moot point???

I'll respond to further posts which actually manage to criticize JS.

JS is poopoo

I don't criticize JS I criticize devs that rely on it.
>why should I do it serverside when I could just do it clientside!

Websites are way too bloated these days and I dislike Javascripts type system