I really don't understand what the problem is with those people who ask you not to use JavaScript on your site.

Why the paranoia?

I went through all sorts of trouble trying to remove a couple of JavaScript scripts I used on one of my sites to appease a couple of "complainers". A month later, after a relentless attack by spam bots, I decided I better add the JavaScript spam prevention code back in.

JavaScript is obviously used by a lot of programmers. It is currently the 6th most popular tag here at Stack Overflow. It is used on practically every single website that I know of.

The claim that it is a security risk seems bogus to me. I've had JavaScript on in my browser for as long as I remember, and not once have I found out that anything malicious has happened.

JavaScript has, of course, been extended into AJAX. And AJAX is the thing that makes the wonderful world of Web 2.0 work. And that includes this wonderful Stack Overflow site.

So is there something I'm missing? Is there something wrong with JavaScript that I'm not aware of?


I am flabbergasted by the response to my Question.

The responses are strong and vociferous from the Anti-JavaScript people.

There was one pro-JavaScript comment, and it was voted down (as I write this to -2) by the others.

I turned JavaScript off to add this follow-up. I immediately notice three obvious things (There might be more):

  1. A big annoying white on red banner at the top of each page saying: "Stack Overflow works best with JavaScript enabled". (Annoyance)

  2. Comments cannot be viewed at all or added. You can't vote up or vote down. You can't select the accepted answer. (Loss of functionality)

  3. Of course none of the AJAX stuff works. I don't have access to the line of editing tools above this entry box, and I can't see the preview as I type this. (Inconveniences)

So as far as I am concerned, turning your JavaScript off results in Annoyances, Loss of Functionality, and Inconvenience.

I'm sorry for the handicapped people who have no JavaScript support, but I still don't get why so many of you are so religiously against using it.

Personally, I love what AJAX and its beautiful interfaces and enhanced functionality are doing to the Web. I try to add such features to my site and it annoys me when the Anti-JavaScript people ask me - no, demand of me to take it out because they can't access them.

But how many of you use Stack Overflow with JavaScript off? None I would expect. Your answer would be that you turn it on for sites you trust like Stack Overflow.

Okay. If I make a site that uses Ajax or JavaScript, then I'm fine with you turning it off until you decide to trust my site. But don't expect me to be required to give you all the functionality that I do to people who trust me. Even Stack Overflow doesn't.

If someone wants to embellish this idea, I'll give them the accepted answer.

Also see the question: Is it worth it to code different functionality for users with JavaScript disabled?

and my answer to that question (which, when I last looked, had been voted down by the Do-Not-Use JavaScript people).

Followup. I found the following opinion about JavaScript at the WP-SpamFree WordPress Plugin page:

"Most of the spam hitting your blog originates from bots. Few bots can process JavaScript. Few bots can process cookies. Fewer still, can handle both. In a nutshell, this plugin uses a combo of JavaScript and cookies (on steroids) to weed out the humans from spambots, preventing 99%+ of automated spam from ever getting to your site. Almost 100% of web site visitors will have these turned on by default, so this type of solution works silently in the background, with no inconveniences. There are extremely few users (less than 2%) that have JavaScript and/or cookies turned off by default, but they will be prompted to turn those back on to post their comment.

Stats show that among all Internet users, less than 2% have JavaScript turned off, and less than 1% have cookies turned off. This requirement isn’t anything out of the ordinary because most modern websites require the use of JavaScript and cookies for key features — AJAX, for example, won’t work if JS is disabled.

Overall, the very few that might be inconvenienced because they have JS and cookies turned off will be far fewer than the 100% who would be annoyed by CAPTCHA’s, challenge questions, and other validation methods."

+9  A: 

Some mobile browsers do not support Javascript and relying on Javascript might render them unsupported.

Mehrdad Afshari
As does using long lines of text, big pictures etc. I've often thought the idea of browsing on tiny screens will always be a second class experience.
Martin Brown
@Martin Brown: Actually, those work fine on at least some mobile browsers.
and Javascript works on some mobile browsers.
so the question becomes - why is the mobile device using a crippled excuse for a browser, and how does it become my problem? I know, I know, it's my problem because I'm being paid to make it my problem, but seriously, javascript is pretty standard - how do they get away with making stuff without it?
matt lohkamp
the same way that Apple gets away with not supporting Flash on the iphone?
+1  A: 

Cross-site scripting is a major concern. Also, just because you have not found out that anything bad has happened is not a reliable indicator that it hasn't.

In fact, XSS is not really related to your use of Javascript in a Web page. It's mostly the injection of *external* Javascript on your Web site by some other means (that are usually totally unrelated to JS).
Mehrdad Afshari
I was just going to say that - apparently I was 2 secs late ...
Brian Rasmussen
Your point is? How the Javascript got where is irrelevant to the user, what's relevant is that they can protect themselves from the attack by disabling Javascript, and that's a perfectly legitimate reason why they might visit your site with Javascript disabled.
Michael Borgwardt
Even disabling javascript in your browser will not protect you from all XSS attacks. (Ok, so XSS is really a misnomer - its HTML injection, and I can do a LOT with that, no scripts needed).
+70  A: 

Javascript is not good or bad, in the same way that a hammer is not good or bad. It's what you do with it that is good or bad. Many of the sites that use Javascript, use it where it is not actually necessary.

Some reasons why Javascript should not be overused:

  • search engines don't pick up script-generated content
  • creating a nontrivial script that works in all browsers can be tricky
  • many basic things can be achieved using CSS instead, which degrades more gracefully
  • XSS (as recursive mentioned) can make bad things happen to your visitors if you screw up (although scripts might still be injected even if your site is Javascript-free, of course)
  • you might think that every browser nowadays supports Javascript, but with more and more people using script-blocker extensions like NoScript for Firefox, this does not have to be true

Bottom line: Javascript should be used to enhance the website, but so far as humanly possible, the site should still work without it.

Thirding it (is thirding a word? =)
Forthing. Although I'd add some reasons why it SHOULD be used: 1) enhance usability and create a more dynamic feel (live form validation, drag and drop, etc, etc, etc), 2) AJAX, 3) security (as mentioned in the question), 4) it is an awesome and fun language (on a conceptual basis) if used properly
Matt Kantor
The reason most users run NoScript is to rid themselves are annoying ads and techniques where Javascript is used badly.
Forrest Marvez
Excellent answer, Thomas. Javascript is excellent for enhancing sites, but the core functionality should still be there, even if Javascript is disabled.
William Brendel
I wish I could upvote more than once - an excellent answer with a perfect synopsis at the end. I wish JS was used on all site to enhance the experience, not define it.
Software Monkey
I can't personally verify this but apparantly, Google Bot can now read JS.One of many example threads:
+1  A: 

My feelings about JavaScript can be read at my answer to another question. I'm definitely pro-JavaScript. However, after reading through the forum thread you linked to I have two thoughts.

  1. Some users will refuse to use JavaScript, as you have seen from other answers to this question. There is no way to change this fact. You have to decide if you are willing to lose those users. If you aren't, then you must provide an alternative method.
  2. My suggestion to you for your particular problem is to use your spam prevention JavaScript for users who have it enabled. For users who do not, implement a CAPTCHA solution. This gives the majority of your users the better experience, while providing the small minority the opportunity to use your site with slightly more inconvenience.
As I mentioned in my comment in my question, CAPTCHA is less than perfect at stopping Spambots. I could make users login to post, but that adds inconvenience to everyone. I'd sooner make No-Javascript people have to allow Javascript to post on my site, rather than inconvenience everyone else.
I'm not saying use CAPTCHA instead of the JS approach. I'm saying put the captcha solution in a <noscript> tag.
+3  A: 

We are worried that by visiting an evil site, it will attack our internal network, make a request to another site that I am logged into, or perhaps things like the myspace worm.

I choose to use the firefox plugin noscript. This allows me to whitelist sites I trust.

Of course we also get annoyed at stupid things web developers try to do with javascript like break the back button, prevent me from saving images, popups, etc. Disabling javascript makes the web a far less annoying place.

"Disabling javascript makes the web a far less annoying place" and also makes it an uglier less user-friendly place. Maybe you should also deactivate viewing images, because images may contain malicious things as well. How about Java? You can turn that off in Firefox as well.
Java in the browser is probably something more people disable than Javascript.
+17  A: 

The browsers used by blind/disabled people have limited or no javascript support.

Not to really disagree with you here but this isn't entirely true or accurate - there's plenty of "blind" users who use screenreaders attached to IE/FF/Safari and "blind" is an unfortunate umbrella term for a range of accessibility problems.
Sorry for not being entirely PC. I'm glad to hear ther's progress being made in this area. I was in contact with the local association for the blind only a few months ago and they informed me that none of the braille terminals in use here supported javascript.
The blind people I know usually use Internet Explorer or Firefox with screen readers such as WindowEyes or Jaws.
Greg Hewgill
Sorry, but you're just plain WRONG!
I suspect the disrepancy here relates to me living in a non-english language country. The multi-lingual support for WindowsEyes is still fairly slim. I'm adding a slight edit
YOu're probably right there. FWIW I mostly work with Jaws too.
I've always felt that if you want to cater for blind/disabled people it is better to provide a seperate text only site. For example the UK's Food standards agency provide both and
Martin Brown
Javascript in itself has nothing to do with visual indicators on-screen.A script in Javascript could just as easily operate on alternate forms of rendering that expose their object models to the scripting language.
Jason S
+9  A: 

My 2c (and why I disable every Javascript feature I can in Firefox aside from basic Javascript):

Client-side scripting is typically associated with annoying client-side behavior. From popup windows, to window move/resize, to status bar overwrite, to blinking images, to browser-specific interfaces: virtually everything annoying in the early days of the web was enabled by Javascript. Now, of course, there are many other ways to annoy, and a similar number of blocking addons, but Javascript is the grand-daddy of web pain and frustration.

I'd guess that (aside from security issues and legitimate complaints), that's the primary reason for residual Javascript hate.

That says nothing about javascript itself, though, only some of the people who code it. Any language can be used for good or evil.
Matt Kantor
So what you are saying is that the annoyances, or at least the dislike towards the annoyances outweight the enhancements or perceived benefits of the conveniences the Ajax provides.
You disable all the features you can in Firefox? Are you talking about these? "Move or resize windows", "Raise or lower windows", "Disable context menus", "Hide status bar", "Change status bar text"... the ones you get in the Options dialog? It's not 1998 any more you know.
so you can't be arsed to pick and choose the annoying aspects of a website, and disable javascript overall 'just to be safe'? that sounds like a uninspired way to deal with the problem...
matt lohkamp
+14  A: 

I'm pro-Javascript. People that disable it have only themselves to blame. I haven't read a single reason in this thread yet that would justify doing so.

However search-engine optimization and acessibility are serious concerns for some websites, so that is a reason to cut back on the JS goodness.

That said, I too first check if a particular effect can be achieved with pure HTML/CSS, and only then resort to JS if nothing else works (or I need a very complex behaviour).

'People that disable it have only themselves to blame.' Sorry, that's wrong. Webmaster are to blame, if they lose the user, that don't use Javascript for one of the many reasons (Security, avoid annoyances, javascript-unable-appliances, accessibility etc.)
read my comment, and you will see why it's bad.
dr. evil
+11  A: 

Just make sure that a webpage's basic functions work for everybody. There are valid reasons that webpages should be usable without JavaScript: Accessibility (a.k.a. for users that have to access webpages via non-standard browsers), machine readability (a.k.a. search engines, ...), even some nasty ads can go away if you disable Javascript. And yes, a page could request some stuff from somewhere else without you noticing, but it could also do that with a simple iframe or an img...

However that does not necessarily mean, that all functionality needs to be available. If it protects you, require JS for comments (as long as you can live with some people not being able to leave comments). That's a business consideration you've got to make. Noone can expect you to leave out your security just to allow them to be paranoid.

It's your webpage after all.

BTW: Yes, I'm very aware that this is a very controversal view, especially because it has "religion" involved.

Being on the "ripped off" side of the medallion for some time might have affected my point of view a bit, so I'm very much into protecting myself (as the person running a website) BEFORE protecting others. Obviously that does not give an excuse to allow the users to be attacked (i.e. you've got to do everything possible to avoid XSS, XRS, ...), but if you can help yourself (and - in fact - your users, because nobody wants an endless list of spam comments) by adding javascript to your comment mechanism: do it!

How in Turing's name could a site's security depend on using Javascript? The USERS security depends on NOT using it, and that's not paranoia, that's a simple fact becoming more and more true; XSS means you can't trust ANY site not to try and infect you with a trojan.
Michael Borgwardt
JacaScript can help to support the security of the website OWNER, who's the person spending money for it. Why on heaven's name would he put up a webpage that can hurt himself? He needs to do everything that could protect HIMSELF (and then second: protect the users, i.e. do everything to avoid XSS).
If you are depending on javascript as your only method to protect yourself, then you probably have something wrong in your site's design. Since javascript usage isn't mandatory.
BlaM: You've got it exactly right as far as the problem I encountered. Wanting to make my WordPress comments open on my site (no login) allowed uncontrollable spam and required a JavaScript solution (which spam bots cannot defeat). You would have been my answer, but that's not the question I asked.
@Zoredache: No one is talking about having JavaScript being the ONLY protection. However it helps greatly against spammers today.
+4  A: 

Doing government websites and others there is a requirement for accessibility. These specifications are quite rigid, and require the site to work without javascript. That doesn't mean you can't use javascript, but just that the site needs to degrade well and still work without the javascript. This is a lot of extra work, so some just say don't bother and go with the least common denominator.

I've always felt that if you want to cater for blind/disabled people it is better to provide a seperate text only site. For example the UK's Food standards agency provide both and
Martin Brown
+4  A: 

Javascript is a major attack vector for drive-by downloads.

Many browser vulnerabilites can only be attacked through javaScript, and about half the security alerts issued about browsers read "while we're working on a patch to this vulnerability, you can protect yourself against it by disabling scripting".

On what machines do you think those spam bots are running? Nowadays, most of them fell victim to a drive-by download on some website that used Javascript to attack a browser vulnerability, and in many cases the malicious code got into that website through an XSS attack. A study conducted by Google last year found 10% of all websites they surveyed to contain such attacks!

So yes, Javascript (Flash too, btw) is very much the problem, not the solution, and it's becoming a bigger and bigger problem. Eventually it will be too big to tolerate; you better be prepared to find a way to make your website work without Javascript when every single Joe User out there has (or closely knows someone who has) had their ebay acount, paypal account or even bank account broken into, and is told they could have avoided it by deactivating Javascript in their browser.

Of course, this is a worst-case scenario, and maybe browser developers will manage to get their act together, or some sort of sandboxing technology for Javascript engines (or the browsers themselves) becomes prevalent, though that would still do nothing to counter XSS.

But saying that Javascript is not a problem right now betrays appaling ignorance in someone who develops web apps professionally.

Michael Borgwardt
Serious webpages like PayPal, Ebay, etc. have serious protections against XSS. You know, making a site XSS-proof isn't much more difficult than making it SQL-injection-proof. Therefore I think you're vulnerable only if you use shady websites yourself. And then you are the only one to blame.
That's not true. There were serious attacks delivered through sites. I remember, that one year the website of the stadium hosting the finals of the super-bowl delivered a drive-by-download for a day.
@Vilx Unfortunately, nothing could be further from the truth. XSS is very subtle and complex; defending against it is infinitely more difficult, and pretty much every single "serious" webpage has been vulnerable to XSS at some time or another, often repeatedly. Just google "XSS ebay", etc.
Michael Borgwardt
A very scary article. Here's a link to the study author's page, which omits the Fnords:
+6  A: 

Is there something wrong with Javascript that I'm not aware of?

Javascript annoys me when it is required for the site to function, especially for things that should not depend on it (like opening a link). Basically your site should work perfectly with Javascript disabled - the Javascript should just make it nicer to use.

Say I have javascript disabled (for whatever reason - security, paranoia, CPU usage, ad-blocking etc), I should still be view that picture, albeit not with a fancy Lightbox effect, or submit a form, again albeit without dynamic in-line error reporting)

There's nothing "wrong" with Javascript, it just shouldn't be obnoxious, or mandatory.

+2  A: 

Where I work we place quite a lot of emphasis on website accessibility. Unfortunately, this means that excessive JavaScript use is hard to justify.

Every piece of JavaScript we use requires back up functionality to be in place for people who don't have JavaScript support (for example people who rely on using screen readers for browsing web sites).

I love JavaScript and the power it gives you on the client side but in the end we build sites that we want as many people as possible to be able to access and this therefore means that JavaScript use is limited.

Sometimes it's just easier and quicker to build the functionality without using JS rather than doing the same thing twice.

Robert Dougan

As this website needs javascript (at least if you want to access all features), you will only have a few users here, that are skeptical against Javascript. But it is true, that Javascript is the main vector for installing malware on end-user-computers. Many sites are infested, and the maintainer of the site don't even notice, because the site works as expected, but additionally is malware installed secretly. Besides that Javascript is often used for annoying stuff. Some appliances doesn't support Javascript or don't support it well. Javascript also can make a website problematic for blind users. So a mentionable amount of users can be scared away from your website by making Javascript necessary. Optional Javascripts don't prevent these users.

A good website-example is the Wikipedia. It uses some Javascript, but works perfectly without it.

EDIT: Twitter shows clearly the security-problem with Javascript. Some may argue, that is a problem with wrong code at Twitter, but if even such a big website cannot keep XSS out, how is it with local and small websites? It's not uncommon, that hacked websites execute silently malicious Javascript. Turning Javascript off is at the moment the best solution to that problem.

This website does not need Javascript. Although voting and comments, unfortunately, do.
"that Javascript is the main vector for installing malware on end-user-computers" - care to elaborate on how JS installs malware on your computer?
@nickf: Nearly every exploit of browsers need Javascript for execution. And as browsers are more and more becoming the main door for malware intruding your computer this is relevant.
+6  A: 

The claim that it is a security risk seems bogus to me. I've had Javascript on in my browser for as long as I remember, and not once have I found out that anything malicious has happened.

I'm sorry but this is a pretty lame excuse. Because you got lucky, you didn't visit so much dodgy websites or you kept your windows update all the time it doesn't mean others will do that as well. And there is still 0day attack window (time between the exploit and patch release) which is all about being a target and luck.

Defence in depth is crucial, 95% of the browser client-side attacks uses Javascript to deliver the exploits. Therefore disabling javascript is a really smart idea.

Secondly usability and accessibility issues. Javascript is a big problem.

Finally CSRF is nothing to do with Javascript in most of the CSRF attacks you don't even need Javascript. (you only need it if it's a POST request, and even in that case you just need to make a huge CSS and submit the hidden form in any click to the page. so still you can do it without javascript)

XSS is client protection and not the website. If your website is free from Javascript, you can still be vulnerable to XSS. Not using Javascript as a developer is not going save you against XSS. But as a visitor of the website disabling javascript can protect you against XSS.

dr. evil
I guess people who visit "dodgy" websites all their time who don't have their Windows up-to-date better turn off Javascript. :-)
@lkessler: Malicious Javascripts not only delivered by bogus sites, but by normal websites that are hacked. In the past that already happened to trustworthy instances. Also you cannot check in before, if a link leads to a 'bogus' site. If you load it, the scripts are already executed. A shortened URL doesn't help either.
JavaScript is often used to heap-spray an attacker's payload so the exploit can then execute the malicious code. Disabling JavaScript prevents this. When the user deems the site as trustworthy, he/she will enable JavaScript.
+2  A: 

"To Javascript or not" has valid, compelling reasons on both sides of the argument, which is the definition of a "religious argument".

I prefer to develop websites with Javascript not because it makes it easier (it definitely doesn't!) but to meet the requirements of the people I am delivering to, that the application be all whizzy and modern. However, building in Section 508 compliance will probably come as a shock to the project sponsors.

Ed Griebel
+1  A: 

This backlash against Javascript, which is a lot more common than you'd think, makes me wonder how the notion that "client apps are dead and Web apps are the future." You hear this all the time. I don't really understand how both of those notions can be so prevalent. I'm not talking about social bookmarking web sites, but actual applications.

+3  A: 

As far as I'm concerned, as long as you follow the practice of Progressive Enhancement, you can use as much javascript as you feel is necessary to create your web application.

The users who run into your site with JavaScript disabled or not supported will still have full functionality. The rest of your users will see your animations, AJAX calls (and thus less postbacks or redirects), and other dynamic features.

It requires more work, but it really is the best solution. Remember that there are limited cell phone browsers, old computers with old browsers, alternative browsing methods (screen readers, crawlers/indexers), and people who purposefully turn JavaScript off. It may not even be the majority of your users, but it can very useful to cater to them.

+5  A: 

I use NoScript in Firefox, and by default no Javascript will work. I allow scripts on a case-by-case basis.

Therefore, if you want me to let you execute Javascript at my browser, you need to give me some reason to do so. Some reason that I can see without turning it on, because I don't turn scripting on without a reason.

This doesn't mean I expect full functionality without JS. This means I have to have enough functionality to see what I'll be getting by turning it on, and enough to give me some sort of feeling of trust. This isn't necessarily ideal from a security standpoint, but it's what I'm comfortable with.

There's also my feeling that people who demand Javascript for even partial functionality are likely to put style way over substance, so there likely isn't anything I really want there anyway.

David Thornley
Why don't you just use gopher though?
+37  A: 

My feeling is that turning Javascript off in your browser is like taking all the lightbulbs out of your house in case you get electrocuted, but then complaining that it's dark at night time.

I'm not going to put objects in front of you to trip over in the dark, but don't expect me to go buying flashlights for you.

Funny, but not an accurate analogy. It's more like storing your extension ladder in a locked garage - there for when you need it, but not readily accessible to the burglar.
Software Monkey
Javascript's like an extension ladder when you're in a two storey house with no stair case. I mean, downstairs it's liveable, but upstairs you get a view!
+12  A: 

My take on the whole issue is as long as you're coding your Javascript to add to the users experience in a positive way, you're using Javascript correctly. The reason many disable it is because there are many terrible developers and companies out there that abuse Javascript for advertising, spam, harassment, and other nefarious ends.

Javascript brings a whole new experience to uses via Ajax, and several other frameworks/applications and shouldn't be ignored completely. There are compatibility issues galore but so does CSS and standard HTML, but we still use those day in day out.

I agree with an above post, "Javascript is not good or bad, in the same way that a hammer is not good or bad. It's what you do with it that is good or bad.". And the same could be said for any programming language.

And for those turning off Javascript entirely, you're missing out on a world of convenience and neat tricks that have helped push the web into the so called 2.0 and 3.0 web experiences.

Forrest Marvez
+1  A: 

Javascript can certainly be used to make a site more accessible. Look at Google's Keyboard Shortcuts Beta

If you visit this site without javascript, you'll see that it acts no differently from a typical google search. Visit it again with javascript enabled, and you'll find that the "j" and "k" keys will move to the next and previous search results (respectively), and navigate to the selected item upon pressing the enter key.

It is the responsibility of the developers to consider accessibility (such as alt text, etc.). A common problem is that some developers rarely make it a priority.

John Nelson

I found the following comment at:

I believe 2 [requiring javascript] isn't a major issue in that you can put a message on your comment form to the effect that if you are unable to use the form, please send an email and you'll add the comment for them. Maybe that will put some people off, but it shouldn't ... Besides, many people are now using conventional Javascript browsers with screen reader software instead of the old text mode browsers like Lynx, so this problem should diminish for disabled users. As for the tin-foil-hat-wearers that disable javascript in their browsers out of paranoia, they can stay silent for all I care :).

+2  A: 

I think a lot of users dislike javascript because it is yet one more thing that takes control of usage out of the user's control.

Besides the security concerns, javascript is very, very easy to do badly. Novice interface designers can cram tons of useless gimmicks into a webpage and set off a cascade of side effects that the user cannot control.

My personal pet peeve is the "Are you sure you want to leave our wonderful site?" popups that show up apparently at random.

No code should be configured in such a way to wrest control from the user. Every interface should have simply one user-action to one result correspondence. A button shouldn't have result A on Monday and result B on Tuesday. (Or worse, the button behaves differently depending on many times you have hit it previously!)

Javascript can be a joy on the site of a responsible and competent developer but if even just 5% of sites use javascript incompetently, abusively and even criminally, a lot of users will decide the benefits just aren't worth the hassle.

Your site might have a lot of nifty javascript features but if the next site I navigate to uses javascript to insert a trojan, the benefits that your javascript provides won't offset the damage caused by the next guy.

+2  A: 

I'm not surprised that there is a vocal anti-javascript bloc among developers. Its a language with a checkered past. The flexibility of the language backfired, resulting in a web that sometimes feels like a stinking pile of badly written javascript hacks.

But I have a feeling that a lot of the anti-js sentiment comes from the time when js as what you used to make your cute flying mailbox animated gif open your guestbook in a new window, or what generates the storm of pop-unders when you try to leave a porn site (don't pretend that isn't what annoys you about js! You know I'm right!).

Javascript is evolving. In the last couple years it has been embraced as a first class language, suitable for serious application development. You can decide to use NoScripts or the like, and only turn it on case-by-case, but you're going to find yourself turning it on more and more often.

Other answers have mentioned the accessibility issues, and of course the security issues, and others still have talked about solutions to those issues that don't include "ditch js" (how do you impliment keyboard shortcuts without js??). I welcome high expectations, but you can't bitch and moan without also talking about solutions.

Javascript is not the problem. As a designer I build sites with accessibility, security and compatibility in mind. I do so assuming js will be turned on. I contend that this is a reasonable design assumption. Things should degrade gracefully of course, but opinionated developers who turn off js to make a point are not users I design for.

@jasongetsdown - Keyboard shortcut w/o JS ==> `accesskey="X"` - but +1 for informative post overall.
Peter Ajtai

The whole idea that web 2.0 should degrade gracefully to 1995 is ridiculous.

If you going to gmail, ya better be at least 5 years current. And is that too much to ask?

It is totally 1995 thinking that the execution of code loaded from the net is no problem. The last Twitter-Worm based on XSS shows the problem clearly.