As a security-conscious user, I’ve used NoScript since Firefox’s early days, but its restrictive nature has become frustrating. I’m often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.

Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?

by sensitive information I’m referring to

  • local machine time
  • local machine ram
  • local machine operating system + version
  • local machine hardware
  • Serial Number
  • Hardware ID
  • UUID
  • Windows Device ID
  • Windows Product ID

greatly appreciate any insight

  • jet@hackertalks.comEnglish
    3·
    7 hours ago

    Depends what you mean by local information

    Your best method:

    Use a socksv5 proxy with your browser so it can’t connect to localhost

    Use a incognito browser for the login session

    • happeningtofry99158@lemmy.worldOP
      2·
      6 hours ago

      Use a socksv5 proxy with your browser so it can’t connect to localhost

      Website is able to get info of localhost?

      Does this mean they are able to see what docker container I’m hosting?

      • jet@hackertalks.comEnglish
        1·
        6 hours ago

        many browsers allow connection to localhost ports, this is how discord opens discord links in the app and not the browser on people’s desktop computers.

        • happeningtofry99158@lemmy.worldOP
          1·
          6 hours ago

          I see, could you link to an article or video that explains more about how this is achieved? Is there a browser extension to disable a website from accessiing localhost connection?

          • jet@hackertalks.comEnglish
            1·
            6 hours ago

            socksv5 proxies, or you could dig into the settings and find a option to disable local connections (not sure where)

    • happeningtofry99158@lemmy.worldOP
      2·
      7 hours ago

      by sensitive information I’m referring to

      • local machine time
      • local machine ram
      • local machine operating system + version
      • local machine hardware
      • Serial Number
      • Hardware ID
      • UUID
      • Windows Device ID
      • Windows Product ID

      Can I prevent javascript from running specific command that retrieve these information?

      • jet@hackertalks.comEnglish
        5·
        6 hours ago

        If any of that information is critical, you should not be running JavaScript. You should remote into a virtual machine and then browse from there.

        Even the tor browser bundle gives away machine architecture

          • jet@hackertalks.comEnglish
            5·
            6 hours ago

            your not wrong, but every browser exposes it via javascript. so if that is part of your threat model you can’t use a local browser.