Is graceful degradation in the absence of JavaScript still useful?

Question

When even mobile browsers have JavaScript, is it really necessary to consider potential script-free users?

Answer 1

I for one always have NoScript turned on unless I trust the site for a number of reasons including cross-site-scripting, click jacking, and HTML injection. It's not me being paranoid, it's because I know a lot of developers, and know most of them have no idea what web security is, never mind how to avoid vulnerabilities.

So until I trust a site there's no chance I'd let it do anything fancy.

For the unfamiliar, there are some interesting blog entries on the subject:

• Protecting Your Cookies: HttpOnly
• Cross-Site Request Forgeries and You
• Sins of Software Security
• Top 25 Most Dangerous Programming Mistakes