Ask HN: Do you browse the web with JavaScript disabled?

38 points by diceduckmonk ↗ HN
We have two versions of our product: (1) SPA-like experience and (2) <14kb, <200 lines of css, <30 lines of JavaScript.

We are debating whether to maintain the LiteMode (the SPA is actually SSR, we've decoupled our MVC well, so maintaining the LiteMode is only 20% more work). This got me thinking. What if we made the LiteMode entirely text-only, maybe with some optional CSS. No JavaScript.

I tested HN and it degrades fairly well. Some things such as the comment toggle doesn't work. There's actually a HTML <details> element nowadays provides this toggability out of the box without JavaScript. At any rate, is it worth voiding the LiteMode of any and all JavaScript? Do people browse the internet with JavaScript disabled?

70 comments

[ 4.7 ms ] story [ 104 ms ] thread
Largely, yes. I'm a heavy user of uMatrix, so I can toggle JS and other resources by domain. By default, JS is off, but if I trust a site enough (which is a low bar), I'll turn it on for the domain and most CDNs, but not for any GTM/FB domains.
I am one of the few exceptions not the rule so take what I say with a grain of salt. I browse the web with JavaScript and external fonts disabled. I also force every site to use the same font and font size.

I enable JavaScript if I know who is running a site and where their company is located and/or if I have a binding contract with them. Even then I use disposable containers [1] for those sites and run bleachbit before/after visiting such sites and use sqlite3 to clear visit_time from places.sqlite. I launch Firefox from firejail [2] with AppArmor enforcement.

[1] - https://addons.mozilla.org/en-US/firefox/addon/temporary-con...

[2] - https://github.com/netblue30/firejail

Out of curiosity - why are you so keen on hardening your browser? Because of the standard trackers / ads / data siphoning / etc., or something more?
I suppose I am cynical from a lifetime of people trying to do devious things to my machine. It is just my personal preference to be a less obvious target and have some ability to detect when a website is trying to do something shady. There is a chance I can get their domain added to the uBlock lists if I have evidence.
As much as I can weather, yes. Sometimes things become so broken I allow more to run than I'd prefer, when really I should just go elsewhere
Self-reply/tangent/rant -- I really miss the lighter web of the 90s/early 2000s.

My picture of the ideal internet is surely boring. This is probably an overshooting response to being absolutely desensitized by the current internet

No, and to be frank, I’ve never known anyone who has disabled JavaScript in my personal and professional lives.

I recently gave it a shot on an old, sluggish iPad. I was blown away at how many websites just…don’t work, or only partially render.

It’s part of the modern web stack, and catering to those who disable JS is like catering to those who run FreeBSD - they exist, and they’re smart people, but their numbers are so small that catering to them makes no sense from a business perspective (unless they are a target demo).

With that said, removing the interpreted JavaScript runtime from your site is a laudable goal and things should be smoother, faster, and lighter.

I'm pretty sure if NoScript had a default that allowed *.domain and domain, most sites would render quite ok. That's my experience from using it for years and years. There are sites that require a few extra things, however many of those are repeated across sites: google fonts, jquery etc.

To be honest, I feel like there is a user-friendlier version of NoScript that should make us feel mostly unhindered. I don't know the consequences of always allowing the sites domain, though. Many trackers have their own domains.

I would pay for a curated whitelist of things (domains?) to be whitelisted in NoScript. As I'm typing this I am realizing that I have never looked for such a whitelist. Maybe there is some community maintained thing?

Is there an established AV product that has this feature?

Right now I am slowly and painfully building my own whitelist because everything is blocked by default and I allow as needed.

> I would pay for a curated whitelist of things (domains?) to be whitelisted in NoScript.

However much you would pay, advertisers would pay more.

It seems unlikely that you the value you assign to a whitelist would be more than the value advertisers assign to being seen... by all NoScript users. You would be out-bid by corruption.

You are probably right. Also I suspect the choice to whitelist or not can be hard to agree on. Maybe block all advertising things. Maybe only some of it. Maybe allow everything that isn't straight up malicious. And so on.
There used to be assets maintained by a particular person for uMatrix that had decent defaults for services, with only non-essential stuff blocked. I can't remember what it was called for the life of me.
Yes, I keep JS disabled by default. For most websites, I will simply not allow it to be executed at all. If this breaks the website, I don't use the website.

For the small set of sites that are actually important to me, I selectively allow the minimum number of scripts required to make the site function well enough to do what I need it to do.

Mostly yes: I use JS-blocking browser extensions, which (mostly) offer domain-by-domain control over JS loading. And only enable JS when the risk/reward ratio seems low enough.

Between the browser security issues & resource usage, anti-improved speed & UX, etc. - enabling JS is mostly not worth it to me.

(Yes, doing this kinda rules out a fair number of web sites for me. But with ~10,000x more content on the web than I could view in my remaining mortal years anyway...ruling out a lot of sites is a feature, not a bug.)

Which one? I used NoScript but on Firefox it always reblocked all allowed domains after reopening the browser.

It used to work fine years ago, and some people say that's not normal behaviour, but I've stuck with it for a few versions and got sick of it.

Honestly, just an ad blocker is enough.

At the moment, NoScript on FF actually. With how few domains I load the JS from, the "reblock after reopen" behavior is 60/40 feature/bug for me.
This isn't going to be a very useful survey since the headline here will only attract the attention of people (like myself) that have JS disabled.

That said, we're normally undercounted because JS itself is used to do the counting so I guess this balances things out.

If a site doesn't display without JS then my first move is to toggle off CSS and see if I can read it. If I can't I check source to see if I can read it. If I can't I close the tab.

Yes, where possible.

What I really want is a CPU budget for websites, you can run 2M operations or something, and then you're put to sleep.

For the most part, yes.

I usually leave, and if I can't find what I need somewhere else, I may come back and fiddle either with CSS or even enable JS during that session only.

Rarely does a website make it to the list were it's always enabled. This is true for personal and work.

I use NoScript and whitelist JS on a site by site basis (usually temporarily). For an app/product that I'm using regularly I'll whitelist likely looking domains until it works, and save those settings.
I came here to say no, I don't for the silent majority. There's a large amount of pain coming with being so vigilant about security. I'd rather spend my time and energy else where.
You do it, saying 'no', to speak for the silent majority?

Or you don't disable JS because of the majority?

I think he left out a word

"I don't [speak] for the silent majority"

I am assuming because this is a standard turn of phrase

I don't think so, I parsed it as, since the vocal minority especially on HN would say yes, they came here to say "no, I don't" for the silent majority. They're speaking for the majority.
ah right, that makes more sense, so something like: 'I came here to say "no, I don't"; for the silent majority'
I am in the whitelist camp.

But reading this thread sparked a thought: could browsers handle server side handling (e.g. submit buttons) in the way React and alike frameworks work: instead of rebuilding the page from scratch diff the current DOM and the DOM for the new page and apply the diff in a smooth transition with animations?

I believe it is important to support non-JS user agents.

For example entire Kagi Search runs with no JavaScript enabled in the browser. We see JavaScript as a way to enhance client experience, not create it. So bascially Kagi is in 'lite' mode by default.

> Do people browse the internet with JavaScript disabled?

Some people do (and you'll get a disproportionate number of them here), but unless yours is a niche product particularly aimed at such people, they're an insignificant number in comparison to the billions who've never even heard of such a thing.

YES.

I have it enabled for certain sites I frequently use, otherwise it's disabled by default.

It makes browsing much smoother IMO.

I don't, no, because it's just not practical to do so in 2022, but I do love sites that ditch it, on principal.
I do browse with JS off by default (usually FF with noscript, though occasionally with simpler web browsers), often leaving pages if they require JS while they shouldn't and I can avoid those, and I know others who do the same.

Maybe a poll would be more suitable for this kind of a question though, and I guess there must be some already collected statistics around.

Edit: Speaking of "LiteMode" and accessibility in general, I think it's also nice to not go too heavy on CSS or assumptions about fonts. I used to override CSS (browsed quite a lot in the dark, so enforced a light-on-dark theme), to use textual browsers, and still disabling web fonts and setting a minimal font size, which occasionally leads to slightly messed up markup and related issues. Though those sorts of things tend to be covered in various accessibility guidelines.

I did when I was unhappy with my phone’s battery life, but within a week honestly I found enough problems with sites that I had to enable it.
I use uMatrix with a relatively strict set of blocks. By default, I allow first-party JS, and a handful of 3rd party CDNs. This is _even worse_ than browsing with JS off for most sites, as the <noscript> fallbacks don't work, but usually things are broken in one way or another because everybody depends on a ton of external libraries and services. I mostly do this to keep myself aware of the relationships between sites, and to disable the annoying "give us your email" popups that so many sites have these days.
No. It is an ever increasingly esoteric practice.

That 20% more work could be put in to improving the main product instead.

I use ff+uBO with js disabled by default, and then I peace-out when I see blank white pages that don't even render using reader view, temporarily allow if I think it'll be worthwhile, and whitelist for sites I either use regularly or deem trustworthy enough. I have surprisingly few websites whitelisted, and I don't usually toggle it. Things like Nitter and Teddit work just fine. Wikipedia and HN don't need it. Many news sites don't really break without it, and if they do then that is my peace-out territory. And some even offer text-only, like Lite CNN and text.npr.org to name a couple.

What do I actually need javascript for? It actually is really easy to do without for the majority of what I use the web for anyway. YMMV.

Disabling JS works for document based websites. How do you use web apps however, like banking sites, email, travel sites, etc?

I use uBO too with FF but I found that disabling JS globally is too annoying for many sites that are not documents. I use Twitter and Reddit (and not their alternatives you listed) because I have accounts that I want to use to comment on things for example.

Yes! Finally got back to noscript (for firefox) after a break and I think the "enable js from this domain" is the lesser burden compared to all the other nag that just seem to disappear.

Also, it's a positive feedback loop for your web paranoia... seeing all the crap that gets loaded.

Yes, I usually disable JavaScripts. Sometimes I also disable CSS, too (and sometimes this allows web pages to be displayed that aren't displayed if JavaScripts are disabled).

You should make a version without JavaScripts and minimal (if at all) CSS.

Occasionally some things are going to require JavaScripts; in the case that they really do, you should ensure that documentation, links with other protocols/file-formats (if any), etc, should be visible and accessible even without JavaScripts, too.