Only because JS has been used as lipstick on the html pig. Html should do a lot more by default, which would make javascript unnecessary in 90% of the case. A few features that should really be html based:
- form/input server-side validation (you would specify a URL as an attribute of the input / form to which what-if data would be posted)
- input auto-complete (same thing, URL in attribute of the input)
- adaptive design (they should rethink CSS with various formats in mind)
With these 3 things alone I think you can pretty much create a fully working JS-free website. You would only need JS if you really need to build a SPA (which should be the exception: online trading platforms, etc).
The fact that now even a blog article is not viewable without JS is a joke.
Is there a way to take another approach of preventing dynamic data from getting back without an explicit opt-in from the user? This will never happen of course on the regular internet, but for hidden services or some other static-page-only-unless-opt-in surely even if fingerprinting information can be obtained, can we block it from getting back to the host?
It seems like a losing battle to me. You'd have to prevent Javascript inserting links into the DOM (it could stick parameters in the URL), inserting images (similar), loading any assets from anywhere programmatically, any AJAX requests, any redirects, setting any cookies... and probably more besides.
...and eventually you'd have some chap like the OP here who will come up with a clever way to exfiltrate information somehow anyway.
