cross-posted from: https://lemmy.world/post/31859998
Please see the cross-post as it is updated.
As a security-conscious user, I’ve used NoScript since Firefox’s early days, but its restrictive nature has become frustrating. I’m often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.
Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?
greatly appreciate any insight
cross-posted from: https://lemmy.world/post/31859998
Please see the cross-post as it is updated.
It’s basically impossible to block everything, although most of what you listed in a comment is unavailable to websites. To minimize what is available you can use ublock origin, umatrix and user-agent switcher.
Even if you did block it, the fact that you blocked it is also trackable… so it might actually single you out even more, and it’ll still allow them to fingerprint your browser (you can test your fingerprint here).
It might make more sense to randomize / spoof the data so that it becomes inconsistent and useless so that you aren’t identifiable.
A lot of the Javascript attributes used for fingerprinting are used to decide WHAT to render and to cache settings so things work smoothly the next time you come back.
For example, the amount of RAM, your WebGL settings and version, presence of audio, mic, and camera, and screen dimensions are all relevant to a game, a browser-based video-conferencing app, or WebASM based tools like Figma.
And unless you want an app to do a full check each time it returns to foreground, it will likely cache those settings in a local store so it can quickly look it up.
If the app needs to send some of this data to the cloud so the server changes what it sends up, they now also have your IP address, rough reverse IP coordinates via ISP, and time. You can use VPN or Tor to obfuscate IP addresses, but you have to remember to turn that on each time you use the app, and in the case of VPN, to disconnect/reconnect to a random server to semi-randomize your IP (or use Tor, which does this for you).
But to answer the first question, changing or disabling those settings could break a bunch of features, especially Single-Page Applications, those using embedded analytics, or any amount of on-device graphics.
I wish tools like ad-block would allow everything to download in the background but just block things like ads from rendering. That would prevent ad block detectors from knowing they are being blocked,
deleted by creator
That defeats the privacy and bandwidth reasons you’d want to use uBlock but that’s close to the operating idea of AdNauseam.
how does ad render in the background compromise privacy?
Usual tracking and fingerprinting issues. Would need to sandbox it to make it secure, but that then makes the fake traffic easier to identify. Not worth it in the end.
I’m still bit confused. How rendering could result in fingerprinting? If canvas and other fingerprinting is disabled of course. how is ad render different from rendering other element on a webpage
Not afaik. You either allow it or not. Doing so selectively would require a lot more knowledge than I have.
As a workaround however, running a VM and using your browser from within that would seem like a decent-ish way to obtain similar results with minimal effort. You can use the hypervisor to set whatever limits you require.
