I think you can also disable hardware acceleration and that will prevent GPU from being accessible even with JavaScript enabled.

I wonder if this is a case where disabling JavaScript JIT is enough or if even slow JS is still able to trigger the problem through the WebGPU side of the stack.

and then every react site stops rendering entirely?

that suggestion isn't even viable on Tor websites

You can always selectively enable JS for specific websites that you trust. With something like NoScript it's just two clicks to whitelist a domain you want to authorize to be able to run random code on your machine.

At work I run a hardened browser that disables a hell of a lot more than JS and not only do most pages work just fine as far as providing the content I wanted from them, but they load faster and look cleaner. There are still some annoying cases when a website can't even manage to display text or images without JS enabled, but even as easy as it is to enable JS if a website is that broken I often just close that tab and move on with my life anyway. I don't use that browser for things like online shopping but for 90% of what I need it works while also being far better for security and privacy

I'm browsing HN right now without JS.

A surprising number of sites work, at least well enough, with JS disabled. When they don't I can selectively enable JS as needed until I get the functionality required. Often that is a single permission or two, while I keep everything else disabled.

What "well enough" is, and how much time you have to spend finding that out about each site and each time they update, is a pretty wide swath. E.g. browsing HN works fine... if you've already decided you don't care about things like collapsing comment chains. And HN is a pretty barebones site at that.

If you're willing to dedicate the troubleshooting time to your web experience you can get yourself into a pretty useable state over time though.

quit whining and actually try it.

i use uBlockOrigin for ad block. it have a setting "disable js". done.

each site you visit either works... or you leave it. if you must use it and it's a blank page, press ctrl+e, or open the ad blocker UI (works even on Firefox Android) and uncheck the blocked js icon. again, done. two clicks or one keyboard shortcut.

and as the comment your replying to said, you will be surprised how everything works fine without

How else would I know e.g. you can't collapse comments without JS enabled on HN or that you eventually get a more usable experience after investing the time unless I've already tried such operation in the browser before? It's worth at least thinking through what I've said before trying to call it out as blindly ignorant. Not that either way really steers the discussion towards the points made anyways.

Also if you just whitelist every site the instant they don't work it's not exactly a security gain. Maybe it helps with ads UBO isn't catching out of the box or some other angle though. The amount of security you gain from this is proportional to the amount of effort you're willing to invest in making sites work. As an example: https://news.ycombinator.com/item?id=40069834 site works fine without one day, then suddenly doesn't so you whitelist or futz around until you find something like the /embed trick, until that either changes some day too or you've given up and just whitelisted every site you go to anyways.

the point is it makes enabling js slightly just a click more annoying, which force you to unconsciously use sites that work fine without.

you seen to spend time here, so you'd pay the security price and that's it.

not having js on by default is for the 95pct of domains you hit everyday to read a single paragraph and never return.