JavaScript

• Forced requirement: Many webpages (and even entire websites), force the user to keep JS enabled. In 2026, considering the advancements in HTML and CSS technology, there is no technical reason why any website (other than real-time simulations and low-latency gaming) would ever need JS. The only valid justification are legacy code-bases, since those are impractical to migrate to no-JS solutions. That is, newer web-sites have no reason to use JS, let alone mandate it.
• Excessive tracking: JS is much more capable than HTML and CSS combined to track user behavior, because of its first-class access to user-agent (UA) APIs. JS can communicate with almost any server (only limited by CORS) at any time (limited by connection availability), using a plethora of protocols. JS can get hardware information and compute a fingerprint of the device, user, or both.
• Targeted ads: JS makes it harder for ad-blockers to block ads, since it can be used to make overly-dynamic ads. The data collected by malicious JS makes it trivial to serve personalized ads, even across unrelated sites.
• Market control: JS (alongside Wasm) are built into almost every web-browser and UA, including "light-weight" ones (such as w3m). Incentivizing companies to use it for everything, since "there's no need to worry about compatibility or portability". Some people say that JS shouldn't even be a Web Standard,^[3][4] implying that it should be an extension or plug-in (such as Java Applets and Adobe Flash) the user willingly installs; this would reduce the incentive to use JS, as there's no guarantee the user has it.
• Security nightmare: JS is well-known for being a poorly-designed tool.^[5][6][7][8] This leads to programmers and even experienced software-devs to accidentally add vulnerabilities to their code. That, and the fact that JS is Turing-complete (both in practice and in theory) is a recipe for disaster, as it makes debugging and reverse-engineering impractical in many cases. The most common vulnerabilities found are:
  • XSS, which NoScript tries to mitigate
  • Arbitrary code execution and code injection. Typically caused by eval (part of the ECMAScript spec), but there are Web APIs (such as setTimeout and setInterval) that can be misused as well.
  • Remote code execution. This is used by hackers and crackers to build bot-nets for DDoS or crypto-mining, but it's mostly used for spyware since it can hide more easily.
  • Sandbox escape. Modern browsers compile JS to native CPU code (see JIT) to improve performance; this introduces a higher risk of sandbox-escape, as the code can more easily find vulnerabilities to manipulate the engine.

This is a list of all consumer-protection incidents related to this product. Any incidents not mentioned here can be found in the JavaScript category.

Short summary of the incident (could be the same as the summary preceding the article).

• LibRedirect explaining why it exists, and how Google Chrome's MV3 limits it
• https://daringfireball.net/linked/2025/01/18/google-search-javascript
• https://blog.jim-nielsen.com/2025/javascript-required/
• https://techcrunch.com/2025/01/17/google-begins-requiring-javascript-for-google-search/
• https://serpapi.com/blog/google-now-requires-javascript/
• Google being anti-competitive towards Firefox: https://github.com/uBlockOrigin/uBlock-issues/discussions/3240
• Meta refusing to serve content to noscript users, and deliberately nagging them to install the app or login: https://github.com/Rudxain/uBO-rules/pull/9
• Websites that nag users to enable JS, even when it provides negligible value
• Discord being extremely bloated to the point of crashing when opening Developer-tools: https://github.com/Rudxain/uBO-rules/blob/42220bd4f80052ee15136dff7269df19529c43ec/rx.ubo#L3-L19
• "Enough with the JavaScript already!"
• "Maybe we could tone down the JavaScript"
• "You don't need JavaScript for that"
• "You really don't need all that JavaScript, I promise"
• "Progressive Enhancement Still Important"
• https://www.w3.org/wiki/The_principles_of_unobtrusive_JavaScript
• "Everyone has JS, right?"
• "Shipping a button in 2026…", by Kai Lentit. This illustrates the burnout and fatigue software developers can experience on a daily basis
• HTMX developer advocating for less JS
• "Web Obesity Crisis"
• "How web bloat impacts users with slow connections"
• JS bloat (2024)
• How JS makes web apps more unstable
• GNU/FSF explaining why JS takes freedom away
• GNU/FSF explaining why "web apps" shouldn't exist. WARNING: contains overzealous claims! (according to Rudxain). Related: Local-first
• Interactive page (game?) showing how websites can track almost anything the user does
• "Browserize" fingerprinting showcase
• "CreepJS" fingerprint showcase
• More sources (TO-DO)

• Electron
• Mozilla