As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.

Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?

greatly appreciate any insight

cross-posted from: https://lemmy.world/post/31859998

Please see the cross-post as it is updated.

you are viewing a single comment's thread
view the rest of the comments

[–] happeningtofry99158@lemmy.world 2 points 20 hours ago (2 children)

by sensitive information I'm referring to

local machine time
local machine ram
local machine operating system + version
local machine hardware
Serial Number
Hardware ID
UUID
Windows Device ID
Windows Product ID
...

Can I prevent javascript from running specific command that retrieve these information?

I found chameleon which spoof local machine operating system + version and browser information. But I'm not sure about other information

[–] bjoern_tantau@swg-empire.de 4 points 19 hours ago* (last edited 18 hours ago) (1 children)

Most of those things cannot be collected through JavaScript.

Local time can.

RAM can only be approximated to protect user privacy. Edit: And it's not available on Firefox.

OS+version are already in your browser's user-agent string that is sent out with every request you make.

Machine hardware cannot be enumerated. JavaScript can try to guess your GPU based on what it can do with WebGL.

There is no way to get a serial number or similar.

But if you go on to block some of the stuff you make yourself easier to identify. You go from "some guy with Windows" to that "that guy who blocks this and that and also that other thing".

I think it is much more effective to use Ublock Origin and let it do its thing.

[–] happeningtofry99158@lemmy.world 1 points 12 hours ago (1 children)

Sincere thanks

@bjoern_tantau@swg-empire.de

Most of those things cannot be collected through JavaScript.

Local time can.

RAM can only be approximated to protect user privacy. Edit: And it’s not available on Firefox.

OS+version are already in your browser’s user-agent string that is sent out with every request you make.

Machine hardware cannot be enumerated. JavaScript can try to guess your GPU based on what it can do with WebGL.

There is no way to get a serial number or similar.

To spoof timezone/OS+version/browser+version ... and disable WebGL, use https://sereneblue.github.io/chameleon/

https://lemmy.world/post/31885153

I guess spoofing will not make me stand out?

[–] bjoern_tantau@swg-empire.de 2 points 3 hours ago (1 children)

Probably will, because your spoofing might not be perfect and have inconsistencies.

[–] happeningtofry99158@lemmy.world 1 points 2 hours ago

Thank you so very much

[–] copygirl@lemmy.blahaj.zone 2 points 20 hours ago (2 children)

Can you link to a source that confirms this information can be collected with JavaScript (with browser comparison, ideally)? That seems outrageous if it was actually possible.

[–] pivot_root@lemmy.world 2 points 18 hours ago

https://amiunique.org/fingerprint