cross-posted from: https://lemmy.world/post/31859998
Please see the cross-post as it is updated.
As a security-conscious user, I’ve used NoScript since Firefox’s early days, but its restrictive nature has become frustrating. I’m often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.
Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?
greatly appreciate any insight
cross-posted from: https://lemmy.world/post/31859998
Please see the cross-post as it is updated.
What is meant by “sensitive information” here? Browsers can’t just willy-nilly access your local files or something like that. The one thing I can think of is using JavaScript to collect information that can be used to identify you. (Is that “sensitive”? I’d put that in “identifying information”.) My honest suggestion is to keep using NoScript and just allow as few domains as possible. The next best option is to stop using websites that break without JavaScript when there’s no reason why they’d need it.
I can imagine there being a plugin that spoofs some common ways that allow sites to identify you cross-sessions / browser / websites without your consent, but blocking JavaScript (by default) is likely one of the best ways to reduce the amount of information collected about you. When you do find such a plugin, check out one of the “browser fingerprint” testing sites to see how unique your fingerprint is.
(That is, if I even understood the request properly in regards to the “sensitive information” bit.)
by sensitive information I’m referring to
Can I prevent javascript from running specific command that retrieve these information?
I found chameleon which spoof local machine operating system + version and browser information. But I’m not sure about other information
Most of those things cannot be collected through JavaScript.
Local time can.
RAM can only be approximated to protect user privacy. Edit: And it’s not available on Firefox.
OS+version are already in your browser’s user-agent string that is sent out with every request you make.
Machine hardware cannot be enumerated. JavaScript can try to guess your GPU based on what it can do with WebGL.
There is no way to get a serial number or similar.
But if you go on to block some of the stuff you make yourself easier to identify. You go from “some guy with Windows” to that “that guy who blocks this and that and also that other thing”.
I think it is much more effective to use Ublock Origin and let it do its thing.
Can you link to a source that confirms this information can be collected with JavaScript (with browser comparison, ideally)? That seems outrageous if it was actually possible.
https://amiunique.org/fingerprint
deleted by creator
JavaScript is already sandboxed. You can only execute functions where there is an actual API defined by the browser to do so, for example
Date.getTime(). There is / should be no way to get, say, your device ID. (With the exception of unpatched exploits that allow executing arbitrary code. But keep in mind browsers are likely one of the if not the most security tested software.)What you linked to here appears to specific to Google Tag Manager in a way that I don’t fully understand, but is not related to how websites usually execute JavaScript code.
thank you for the clarification