Let’s get started.
1. Click Settings in the Chrome menu.
2. Select Advanced at the bottom of the Settings page.
3. Under Privacy and security, scroll down to Site Settings.
5. Toggle to Allowed.
And you’re done!
Youtube still works without JS but defaults to Flash, which is a worst-case scenario—and even that won’t be available for much longer. In 2020, Chrome will pull support for Flash because of its vast privacy and security issues.
On the other, that very ubiquity works against it. Just like there are more viruses for PCs than for Macs, for the simple reason that there are more PCs to target, so as JS got more popular with users it became a more popular route for attacks.
The advantages of this approach are well-known: nobody needs to reinvent the wheel, and most JS libraries are scrutinized by multiple skilled developers, cutting down on bugs.
Script injections can be used to do anything from altering a website’s appearance to accessing user account data.
These attacks take advantage of the fact that your browser has the ability to interpret and turn on any script that’s embedded in HTML by default. So if attackers embed script tags like <SCRIPT>, <OBJECT>, <APPLET>, or <EMBED> into a website’s code, your browser’s JS engine will run that script.
Cross-site scripting (XSS) is a type of injection technique that allows the attacker to inject malicious code into a vulnerable web application to hijack the interactions users have with it.
It can be used to perform unauthorized activities and phishing attacks. It can also be used to capture keystrokes, stealing personal data and passwords in the process, or to steal sensitive information directly.
But ads are a popular attack route.
To make matters worse, Windows doesn’t show you these by default—and some criminals, wise to this, label files with double extensions, like this: suspicious.PDF.js.
Lack of risk assessment
The chances are good that you’re not at risk. But if security is a top priority, it might be a good idea to turn JS off.