I am sorry if I am mistaken and you have a genuine concern or question. The issue is that your behaviour in this thread makes it very easy to think you are trying to troll here. Many
a time we are accidentally a troll when posting in anger (
http://christianheilmann.com/2012/06/04/de-trolling-the-web-dont-post-in-anger/) and the pattern is there.
Your original email didn't ask a simple question like "is it possible to turn off JavaScript in FirefoxOS". Instead it started with an unproven, very accusatory statement:
"We all know that javascript main reason is to use the resources of the
client to steal data from the client and send it to a server, or help to
install unwanted software.
In the past at least they said javascript works in a sandbox and can not
gain root rights."
Sentences like "We all know" without any proof is what bad politicians use to rally people. Where is the definition that the main reason of JavaScript is to steal data from the client and install unwanted software? In MDN we probably have the most detailed JS documentation there is, but nowhere this is mentioned as a reason for the language. You made up an argument and told us this is fact, instead of bringing it up as a danger.
Three people here were nice enough to answer your question anyways and point to resources to read up why your argument in the case of Firefox OS is a different matter.
You then brought up three resources asking about JS security issues in a desktop browser. We answered your concerns explaining the CSP need of Firefox OS Apps and that Firefox OS is written in JavaScript, thus turning it off on the OS level would mean you have no OS. We also explained that any other platform has the same principle - you can not turn off JS in iOS or Android either.
Manish did a lovely job explaining the issue and actually giving sound security advice:
"Are you concerned about JavaScript as running for web pages within the actual browser app in Firefox OS, or JavaScript running in the OS itself and other apps? The latter isn't a security hole -- all apps for all mobile OSes are able to track you if they want and mess up your system with the right permissions (so be careful when installing apps -- and FxOS has an app review process anyway).
The mobile browser used in FxOS? Most mobile browsers don't have a "turn off JS" button, and this anyway is the least effective way to prevent attacks as detailed by Christian above."
You then pivot very quickly - maybe because there was a misunderstanding - but real trolls pivot all the time to keep a discussion alive.
"I do not talk about turning off Javascript but include in the Gaia &
Gecko such technologies like NoScript or AdBlock.
Cross-Scripting or data security is only a small aspect. We could talk
about jokes like Clickjacking and other in your eyes minor aspects, that
will be a blocker when it comes to sell devices.
Make a device that at least try to be secure.
Make devices for users not useds."
Did we say clickjacking is a joke? Did we mention security is a minor aspect? No, but we did explain that NoScript and Adblock are not 100% secure either as there are ways to steal data with CSS or malformed binary data. This was not acknowledged by you at all - something again, a troll would do.
Instead you now make this a major argument and bring up the assumption that Firefox OS devices would not sell when there is no way to have AdBlock or NoScript. Frankly, that is your idea, we have much different requests from users out there.
You like Adblock and NoScript and you see it as something we should use as it seemingly solves your problem. Not acknowledging that it doesn't deliver what we are trying to do again is behaviour a troll shows: everything is about your argument.
You then become very aggressive and accuse of making devices not for users but for people to "be used" - again an accusing statement wrapped in a rhetoric that is more of a rallying cry than a discussion. It very much reminds of the "Wake up Sheeple!" messages used by trolls in other forums. This goes on:
"FirefoxOS using a by the useds uncontrollable Javascript interpreter is
respectless towards the useds."
Now you are saying we don't have any respect for the users of Firefox - after getting information that FxOS is written in JS and thus it is a very needed part of its functionality and that blocking JS even now on the web is not a solution for being safe. In fact, together with Deutsche Telekom we are working on a security awareness build of Firefox OS giving people full insight into what apps is tracking what and this week there is a brownbag on upcoming AdBlock-like traffic blocking functionality on the Firefox level for Desktop.
What you really want to do here is convince us that giving people the choice to turn off JavaScript is the solution to every problem. We explained that it isn't. I'd go even further and say it is a dangerous truism. Much like telling people "use a mac, there are no viruses or malware for mac" is nonsense. It is a glass shield and a strawman argument. Turning off JS doesn't mean you are safe from attacks.
You are ending with the mail below telling us what evangelism means to you. This list is not about telling each other our beliefs or convictions. This list is about discussing ways to explain to the world outside what Mozilla is doing and how to be most effective about it. There might have been a misunderstanding.
Acknowledging that other people have different ideas and not barraging them with yours is what makes a good evangelist. Being aware of the whole picture and seeing what others are doing and learning from that is also a vital part of that.
Your mails came across as needy and pushy. Nobody likes being bullied. Maybe I was too rash in bringing this as an example, but this list is in its infancy and I think it is very important from the very beginning to negotiate an inviting and nurturing tone here.