A Chain Saw is a Poor Choice for Surgery and for Blocking Web Content
How to re-open documents and windows when you re-open applications: OS X Lion and Mountain Lion

How to Enable or Disable JavaScript in Safari: Choose your Poison

The recent flurry of reported Java exploits has incited a massive "Disable Java" campaign. This popular and practical advice is causing considerable confusion for Internet users who dutifully go to disable Java only to encounter something called JavaScript for the first time. 

Before you disable JavaScript, understand the difference between Java Technology and JavaScript. Java is a programming language that you'd use to write a program, compile that program, and execute the compiled executable in a virtual machine. The risks from Java are currently very high, and disabling Java is recommended.

JavaScript is a hugely popular language you use to write an executable that runs on a browser. There are risks from executing every arbitrary script you may encounter while browsing, so you may wish to consider one of the several methods at your disposal to manage how the Safari browser will process JavaScript. Each of these has benefits and consequences.

How to Disable JavaScript from Safari Preferences

Like disabling Java, disabling JavaScript is straightforward:

Launch Safari

From the Safari menu, pulldown and choose Preferences...

Choose the Security tab

Uncheck the box labeled Enable JavaScript

Close the Preferences Window

Safari_DisableJS

Disabling JavaScript in this manner is a Draconian measure: all scripts from all visited web pages will be disabled. The benefit from choosing this method is that you will not execute any malicious script you might encounter, but you will also be unable to benefit from any helpful scripts that sites you trust use for interactive purposes (appearance, navigation, forms submission). 

How to Disable JavaScript from Safari's Develop Menu

To use the Develop Menu, you'll need to add it to your Menu bar:

Launch Safari

From the Safari menu, pulldown and choose Preferences...

Choose the Advanced tab

Check the box labeled Show Develop menu in menu bar

Close the Preferences Window

Safari_ShowDevelop

To disable JavaScript from the menu bar, check Disable JavaScript. Disabling JavaScript will affect any page you have opened and all pages you subsequently visit until you enable Javascript by unchecking the same item in the Develop menu bar.

Apple says that developers can use this feature to "experience how your website will behave for users who have disabled JavaScript."

I've used the Develop menu when I'm browsing on a Mac that doesn't have my full kit of Safari extensions and I'm likely to visit an unfamiliar site. If you're a developer or if you are investigating suspicious sites you'll probably find many of the other features handy as well.

If you do choose to use this method, you may want to define a custom Keyboard Shortcut

Develop_Menu

How to Disable JavaScript Using a Safari Extension 

Another method of managing JavaScript is to install an extension that only permits browser content you trust to execute on your computer.  NoScript does this nicely for Firefox but it's not available for Safari. The closest extension to NoScript that I have found to date is JavaScript Blocker

You can see what scripts a web page asks your browser to execute by clicking on the JavaScript Blocker item in your Safari Toolbar. Mine is set to highlight a count of blocked scripts. Click on the item to see an explanation of how JavaScript Blocker is handling each script it has encountered (Allow/Block).

  Javascript_blocker_popup

JavaScript Blocker applies its own whitelist and blacklist rules to assess the scripts your browser encounters when you visit a site. Clicking on any of the Allowed or Blocked scripts or frames to create a your own rule for scripts you encounter and you'll "train" JavaScript Blocker to know what content you trust. Visit the JavaScript Blocker page to learn about other features.  I'm experimenting with it still so if you find anything really interesting please post a comment.

What scripts should I block?

I explained my strategy for choosing which scripts to trust in my blog post about NoScript and will repeat it here for convenience:

"If I'm familiar with the site and have had a positive experience, I'll trust the scripts associated with the site domain [Note: the screen capture of my site shows that JavaScript Blocker does this, too]. If I'm uncertain, I'll check the scorecard for the domain at MyWot and consider the reputation reported there.  If I'm suspicious I submit the domain to VirusTotal and scan to see if the page contains malware. I may Google the domain: if it is a tracking company, I permanently forbid execution. "

How to Choose Your Poison

One important difference among all these choices is the degree of granularity each choice affords. You can wash your hands of all JavaScript you encounter, you can micro-manage, or you can let a third party choose for you. You may want to begin by toying with the Develop menu option to "experience" pages you visit with and without JavaScript. Download the Safari extension and see how your experience is affected with default settings. If you choose to keep the extension, be conservative as you add rules that allow scripts.

Even small efforts to enhance security can yield large rewards. 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)