Something awesome I just found: http://www.ghacks.net/2010/10/31/how-to-force-https-connections/ Makes lot of sense IMO. The most Javascript intensive websites tend to be banking, web mail, e-commerce, and other things that demand encryption. Whereas sites where you don't need JS tend to be unencrypted HTTP. Likewise, a lot of ad servers connect unencrypted by default, so this handily nixes them. Edit: note, something similar might be doable in a centralized fashion, using Squid or Privoxy or such on a router - blocking JS files over HTTP connections going through the proxy. Embedded JS would be much trickier though.