JS dramatically increases the attack surface. It allows browser fingerprinting, user fingerprinting (behavioral biometrics) and exploitation of vulnerabilities in JS engine and API design. It must be disabled by default for all untrusted addresses: the ones from the Web and files. Use NoScript for this.
- Status changed from New to Rejected
- Priority changed from Elevated to Normal
Yes, you are right, allowing JS is the best way to compromise security.
Feel free to work on #9700 as a solution to your concern.
- Related to Feature #9700: Persistence preset: Tor Browser security slider setting added
Also available in: Atom