> "Red herring. People install or explicitly download code they want to run."
When you visit a website, and you have given your browser permission to run JS, you're giving your permission to run JS. If you want to block scripts by default, use an extension like uMatrix:
>> When you visit a website, and you have given your browser permission to run JS
My browser never asked me about JS. Even if it did, browser developers would switch the preference rather than annoy the user with a prompt every time a site wanted to run some JS. The end result is that whatever is common practice, the users will end up accepting by default. In such cases it is the responsibility of the people setting standards to keep the users safety in mind. The responses in this thread really make my point. So many making excuses for running excess code and even advocating more APIs.
Take some personal responsibility for the tools you use and how you use them. If a tool has some behaviour I don't like, but makes it easy to change it to something I do, there's no point in moaning that the option exists.
When you visit a website, and you have given your browser permission to run JS, you're giving your permission to run JS. If you want to block scripts by default, use an extension like uMatrix:
https://addons.mozilla.org/en-GB/firefox/addon/umatrix/