The idea of having JS enabled is directly at odds with a secure system, too. All TOR sites should have non-JS friendly interaction. There's really negligible benefit compared to exploits like the on in TFA.
I remember a bit over ten years ago, "javascript is annoying" was a mainstream position among hacker types. That seems to be long gone by now.
I guess hardware catching up with resource requirements took away one of the biggest reasons against it. And most people really embraced the web as more than a document platform. I think part of me still misses the old way of thinking about it.
I don't have any base issue with javascript; I think it's a wonderful way to build web applications. However, TOR and the dark net has entirely different considerations, and the cost of letting unvetted code run without asking you from a site you know nothing about is far, far greater. I wouldn't be surprised if just being on TOR would be convincing evidence for an unknowledgable jury, even if the site was about something legal but connotative (activism targeting the federal government, for example).
I see the first two sentences of your reply as inextricably linked and contradictory. You don't think it's the culture of it being acceptable to make sites that won't work without JS that is ultimately forcing the Tor folks to enable it? For instance, reading up on this subject I found this:
> Why is NoScript configured to allow JavaScript by default in the Tor Browser Bundle? Isn't that unsafe?
> We configure NoScript to allow JavaScript by default in the Tor Browser Bundle because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if a website they want to use requires JavaScript, ...
I see the purposes of the internet serving content-rich web apps and the purposes of TOR as different. They may have compatible protocols, but if GMail ran on TOR nobody would even use it. Why bother? It's slow and it's gonna leak information like a watering hose.
The browser provides much more control over what's happening than executing the code directly on the OS. You can block JavaScript, you can easily analyze the executed source code before you allow its execution, you can manipulate the page as you see fit, you can use extensions to alter your experience in many other ways, and you get the browser's default security sandboxing stuff that prevents it from accessing external domains, your filesystem, or otherwise interrupting non-browsing related tasks.
It'd be crazy to download a full local client for something as shady as SilkRoad or many other hidden services. The browser is the safest place for that kind of thing.
Apparently people have just readily forgotten about the time where computing everywhere was done using terminals. Just pure input/output with some special characters for fancy things.
People should stop using web/browsers for everything.