From: jj4public@gmail.com   
      
   On Fri, 2 Jan 2026 06:31:19 -0600, VanguardLH wrote:   
   > When disabling Javascript, does that also   
   > mean all extensions (aka add-ons) are also disabled?   
      
   Firefox's `javascript.enabled` doesn't trully disable JS globally. It's only   
   for all scripts (all embedded, external, and inline) on all sites, including   
   bookmarklets (since the code is executed in sites' page context). Excluding   
   browser extensions, Developer Tools (including its Debugger), browser   
   internal pages & windows (e.g. Settings page, Bookmarks manager window,   
   etc.), and most browser functionalities which are not visibly presentable   
   (e.g. download queue manager, etc.).   
      
   > If no, disabling   
   > Javascript does not eliminate that abuse vector.  Does disabling   
   > Javascript only disable it in the web docs the web browser renders, or   
   > also in all extensions added to the web browser?   
      
   Except for site scripts, JS on all previously mentioned are still working,   
   so they'll also vulnerable. After all, they're all using the same JS engine.   
      
   Disabling JS via `javascript.enabled` simply removes most of the attack   
   vectors; IMO, up to around 95%-99%; depending on how many various sites   
   one's use (whether the sites are trusted or not). The 2nd place would be   
   browser extensions (whether they're digitally signed or not). The 3rd place   
   would be UserScripts or GM scripts.   
      
   There's also the possibility of triggering an unpatched vulnerability by   
   accident. Some (if not most) vulnerabilities were found in that way, instead   
   of intentional hunt.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)