I did notice some weird javascript in an email virus attachment the other day. It used a bunch of escaped (hex?) values and other obfuscation techniques. Point being, it didn't look like anything you'd want to run with an accidental double-click.
Being that I run winders on the desktop, running Opera with JS off gives me a (possibly false) sense of security.
Sure there are users out there without JS. There are still some IE6 users out there. But in most cases you need just look at your target: If you build a SaaS service you probably focus on the early adopters, first movers or whatever you call them.
Old browser or obscure security settings are a niche. If your product focus on that niche - great, consider it in your technical setup.
After attending a horrible freelance project as a ruby/rails guy in 2009 I finally made a decision for all of my hopefully upcoming projects:
* focus on the early adopters who may understand your product without a big introduction. these people usually have the best and modern browsers available.
* optimize for Safari/Mac, Firefox and maybe Chrome
* optimize only for iPhone
* forget the rest until you have 100 paying customers. Then decide again. (100 is just a number, maybe 50, maybe 1000 — you decided)
BUT: If you know for sure, that most of your taget customers are using IE6/have no javascript support/whatever: Support it. But I doubt it.
And don't think that your startup will have the same % amounts of browsers/settings like the big sites on the web. Also keep in mind that people need to be able and willing to spend money. I can imagine someone without javascript and cookies will never (be able to) enter her/his payment information over the web into a form.
They'll be very conservative and in my opinion it's not worth the time to try to "convert" them.
TL;DR
Try to focus the easiest reachable solution only. Know your potential customer's setup. Be selective.
Sorry for the slightly flippant response (but thank you to patio11 for training me to think that way). I just couldn't help myself, since you phrased it as 'disabled' rather than 'not JavaScript capable'. In regards to the latter, you might find this StackOverflow post useful: http://stackoverflow.com/questions/121108/how-many-people-di...
Also, I've had JS randomly break in firefox sometimes, and it doesn't get turned back on until the next install.
I think graceful degradation is still the key word here. Not just because it will allow non-JS users to access your site, but also because it helps force you to realize the semantic separation of the HTML versus JS layers.
And for your question: Personally, I wouldn't support non-JS users for most cases at all. There are security reasons to switch it off, but I hardly see any aspect of life where you get 100% security. JavaScript is an essential part of the web, if someone has a problem with that: don't surf and don't expect me to emulate things that I can solve easily in the client on the server (if at all possible).
