Enable JavaScript in Chrome with 5 Clicks

How do you turn JavaScript on and off in Chrome? Here’s how to do it in just five clicks, and why you might want to enable it—or not—in the first place.

Let’s get started.

1. Click Settings in the Chrome menu.

chrome menu screenshot

2. Select Advanced at the bottom of the Settings page.

3. Under Privacy and security, scroll down to Site Settings.

chrome privacy menu screenshot

4. Click JavaScript.

chrome site settings menu screenshot

5. Toggle to Allowed.

chrome javascript menu screenshot

And you’re done!

Why should you enable JavaScript?

Most websites have JavaScript elements now.

It’s a simplification, but essentially: HTML tells website elements where to be, CSS tells them how to look, and JavaScript tells them what to do. JavaScript handles interactive elements and things that move.

That means it’s the force behind everything from Google Docs to popups telling you that you forgot to add your phone number to a signup form. The character counter on Twitter that lets you know if your tweet is too long? The Cloudflare account we’re using to stop our website from being flooded and shut down? Google Analytics? All JavaScript.

As Flash has fallen from favor—just 5% of websites now use it—JavaScript has stepped into the position Flash used to fill: the go-to solution to making anything move on a website. So Facebook, YouTube, and other video sites are also dependent on JavaScript.

Youtube still works without JS but defaults to Flash, which is a worst-case scenario—and even that won’t be available for much longer. In 2020, Chrome will pull support for Flash because of its vast privacy and security issues.

So the main reason to turn on JavaScript is so the internet works. Without JS, the web is slightly faster and cleaner, with fewer ads, but with much-reduced functionality as well.

Is it safe to enable JavaScript?

JavaScript is so essential to the modern web that most browsers include a dedicated JavaScript engine just to run it—V8 on Chrome, for instance. Most of the time JavaScript is safe.

Many websites use the library of prewritten JavaScript called JQuery—it’s used by 73% of the 10 million most popular websites—and tools like Bootstrap also use third-party JS libraries. These are typically hosted by Google’s content delivery network and managed by teams that include security professionals. Many of these libraries do contain vulnerabilities (see more on that below) but in practical terms, they’re usually safe to use.

JavaScript dates from a time when bandwidth was expensive and so was server space. Because JS is executed on your computer, rather than on the servers of the websites you visit, it doesn’t strain server space or leave much of a dent in bandwidth, making it an ideal choice for developers starved of resources.

But letting a website execute code on your computer is a security risk. JavaScript mitigates this by sandboxing: not allowing JavaScript access to the computer’s operating system or to web browser windows outside the one it loaded in. This sandboxing sharply reduces the opportunities afforded by JavaScript for malicious activity.

On the one hand, since it’s far more secure than Flash and a vital addition to static HTML and CSS, it’s now ubiquitous. 95% of websites use JavaScript for client-side programming.

On the other, that very ubiquity works against it. Just like there are more viruses for PCs than for Macs, for the simple reason that there are more PCs to target, so as JS got more popular with users it became a more popular route for attacks.

Why should you not enable JavaScript?

JavaScript is fairly safe to run in most browsers, but that’s not the same thing as “perfectly safe.” Because it’s script from a website that’s executed on your computer, it can contain malware and exploits.

Additionally, much of the JavaScript that websites and apps use is third-party code drawn from JavaScript’s enormous open-source programming scene.

The advantages of this approach are well-known: nobody needs to reinvent the wheel, and most JS libraries are scrutinized by multiple skilled developers, cutting down on bugs.

That’s obviously great and constitutes a major part of JavaScript’s appeal. But it also means that when an organization uses these libraries, they’re trusting every developer who contributed. Several libraries could represent hundreds of developers.

There’s no need to expect that malicious code has been added by another party or that any of those developers had bad intentions. To create vulnerabilities in JavaScript requires only the kind of oversight you’d expect when security is job #2, behind usability.

So if there’s potential for vulnerabilities in the code of JavaScript libraries, how widespread is the issue?

The Risks

About 80% of sites tested by Lighthouse had some vulnerable JavaScript, with an average of two libraries per page. These vulnerabilities might not lead to serious consequences even if they’re exposed and exploited, and they’re discovered by testing, not by finding hackers in the wild using them to rob people.

Some JavaScript exploits have been observed in the wild. These include script injections, cross-site scripting, specific types of code in ads and email attachments, and a paradoxical risk: lack of adequate risk assessments because JavaScript is assumed to be secure.

Script injections

Script injections can be used to do anything from altering a website’s appearance to accessing user account data.

These attacks take advantage of the fact that your browser has the ability to interpret and turn on any script that’s embedded in HTML by default. So if attackers embed script tags like <SCRIPT>, <OBJECT>, <APPLET>, or <EMBED> into a website’s code, your browser’s JS engine will run that script.

Cross-site scripting

Cross-site scripting (XSS) is a type of injection technique that allows the attacker to inject malicious code into a vulnerable web application to hijack the interactions users have with it.

It can be used to perform unauthorized activities and phishing attacks. It can also be used to capture keystrokes, stealing personal data and passwords in the process, or to steal sensitive information directly.

Ads

One thing you’ll have noticed if you followed the above instructions to turn JS on: suddenly, there’s a lot more ads. Whether that’s a good thing or not is your call (and if you don’t like them, there are things you can do that don’t involve disabling JavaScript, like installing an extension).

But ads are a popular attack route.

Suppose you click on an ad. Hidden inside the BMP (bitmap) file format that forms the image in the ad you’re looking it is compromised JavaScript that executes inside your browser. Since JS is pretty safe, it doesn’t harm your computer directly. Instead, it redirects your browser to a fake website to harvest personal data or run scam competitions. BMP images like these are known as “Polyglot images” and this exploit of them is still relatively new.

Email attachments

JavaScript attachments are another common attack method. Far too many of us still open email attachments without checking them—let alone checking the file extension (.rtf, .docx, .csv, etc.) to see what type of file it is.

To make matters worse, Windows doesn’t show you these by default—and some criminals, wise to this, label files with double extensions, like this: suspicious.PDF.js.

The .js is the real extension, while the PDF is actually part of the file name. But when Windows suppresses the extension, the user sees suspicious.pdf. So criminals send emails with JavaScript attachments that, when innocently opened, let them insert malware that spams you, does weird things to your browser, recruits your CPU to mine Bitcoin for someone else, or even acts as a bridgehead for ransomware.

Lack of risk assessment

Finally, there’s the risk of undiscovered vulnerabilities arising from poorly implemented security protocols by the developers who wrote the code. This is caused by an emphasis on usability and openness and the assumption that JavaScript is secure.

The chances are good that you’re not at risk. But if security is a top priority, it might be a good idea to turn JS off.

How to turn JavaScript back off

Take the same steps as before: go to Chrome > Settings > Advanced > Site Settings > JavaScript, and toggle the switch over to Blocked.

So, should you enable JavaScript or not?

For most users, JavaScript is mostly safe, most of the time. If you’re doing something that makes you particularly concerned about security, you can turn JS off, then easily turn it back on. But to get the most out of the modern web, it’s best to leave it on.