this post was submitted on 23 Jun 2025

26 points (93.3% liked)

Privacy

39130 readers

1044 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages? (lemmy.world)

submitted 16 hours ago* (last edited 7 hours ago) by happeningtofry99158@lemmy.world to c/privacy@lemmy.ml

22 comments fedilink hide all child comments

As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.

by sensitive information I'm referring to

local machine time
local machine ram
local machine operating system + version
local machine hardware
Serial Number
Hardware ID
UUID
Windows Device ID
Windows Product ID
...

greatly appreciate any insight

EDIT:

could be possible solution

https://discuss.grapheneos.org/d/16025-vanadium-and-what-to-use-on-desktop/19

~~LibreJS: GNU LibreJS aims to address the JavaScript problem described in Richard Stallman's article The JavaScript Trap.~~
JShelter: Mitigates potential threats from JavaScript, including fingerprinting, tracking, and data collection. Slightly modifies the results of API calls, differently on different domains, so that the cross-site fingerprint is not stable. Applies security counter-measures that are likely not to break web pages. Allows fine-grained control over the restrictions and counter-measures applied to each domain.

@bjoern_tantau@swg-empire.de

Most of those things cannot be collected through JavaScript.

Local time can.

RAM can only be approximated to protect user privacy. Edit: And it’s not available on Firefox.

OS+version are already in your browser’s user-agent string that is sent out with every request you make.

Machine hardware cannot be enumerated. JavaScript can try to guess your GPU based on what it can do with WebGL.

There is no way to get a serial number or similar.

To spoof timezone/OS+version/browser+version ... and disable WebGL, use https://sereneblue.github.io/chameleon/

https://lemmy.world/post/31885153

you are viewing a single comment's thread
view the rest of the comments

[–] jet@hackertalks.com 3 points 16 hours ago (2 children)

Depends what you mean by local information

Your best method:

Use a socksv5 proxy with your browser so it can't connect to localhost

Use a incognito browser for the login session

[–] happeningtofry99158@lemmy.world 3 points 16 hours ago (1 children)

by sensitive information I'm referring to

local machine time
local machine ram
local machine operating system + version
local machine hardware
Serial Number
Hardware ID
UUID
Windows Device ID
Windows Product ID
...

Can I prevent javascript from running specific command that retrieve these information?

[–] jet@hackertalks.com 4 points 16 hours ago (1 children)

If any of that information is critical, you should not be running JavaScript. You should remote into a virtual machine and then browse from there.

Even the tor browser bundle gives away machine architecture

[–] happeningtofry99158@lemmy.world 4 points 16 hours ago (1 children)

Personally I think a websites requires machine architecture is dubious and necessary, webpage should be functional without those info

[–] jet@hackertalks.com 4 points 15 hours ago

your not wrong, but every browser exposes it via javascript. so if that is part of your threat model you can't use a local browser.

[–] happeningtofry99158@lemmy.world 2 points 15 hours ago (1 children)

Use a socksv5 proxy with your browser so it can’t connect to localhost

Website is able to get info of localhost?

Does this mean they are able to see what docker container I'm hosting?

[–] jet@hackertalks.com 1 points 15 hours ago (1 children)

many browsers allow connection to localhost ports, this is how discord opens discord links in the app and not the browser on people's desktop computers.

[–] happeningtofry99158@lemmy.world 1 points 15 hours ago (1 children)

I see, could you link to an article or video that explains more about how this is achieved? Is there a browser extension to disable a website from accessiing localhost connection?

[–] jet@hackertalks.com 1 points 15 hours ago

socksv5 proxies, or you could dig into the settings and find a option to disable local connections (not sure where)