this post was submitted on 23 Jun 2025
26 points (96.4% liked)

Privacy

3546 readers
77 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 9 months ago
MODERATORS
fxomt@lemmy.dbzer0.com
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
fxomt@piefed.social
26
Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages? (lemmy.world)
submitted 1 month ago by cm0002@lemmy.world to c/privacy@lemmy.dbzer0.com
11 comments fedilink hide all child comments
 

Original question by @happeningtofry99158@lemmy.world

As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.

Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?

by sensitive information I'm referring to

  • local machine time
  • local machine ram
  • local machine operating system + version
  • local machine hardware
  • Serial Number
  • Hardware ID
  • UUID
  • Windows Device ID
  • Windows Product ID
  • ...

greatly appreciate any insight

you are viewing a single comment's thread
view the rest of the comments
[–] vivi@slrpnk.net 4 points 1 month ago* (last edited 1 month ago) (1 children)

Browser JavaScript is already sandboxed, so there is a limit to the info that can be accessed, though it does expose some of basic information you've listed.

To the best of my knowledge, the only items that can be accessed from the ones you listed are:

  • current time (by creating a Date object)
  • operating system and version (though this is usually not precise info and only provides a rough version)

an example of the info that can be accessed (via the navigator property) for a Windows pc is:

# platform = Win32
# appCodeName = Mozilla
# appName = Netscape
# appVersion = 5.0 (Windows; en-US)
# language = en-US
# mimeTypes = [object MimeTypeArray]
# oscpu = Windows NT 5.1
# vendor = Firefox
# vendorSub = 1.0.7
# product = Gecko
# productSub = 20050915
# plugins = [object PluginArray]
# userAgent = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

As you can see it's not a whole lot of information. Certainly there is no way to get the serial number or other hardware information. Also, local files cannot be accessed without permission.

There are some user agent spoofer addons that will change the user agent string. I am not sure but i imagine some of those also allow overriding this navigator information to anonymize that data further. Preventing accessing the user's time zone would be pretty impossible though given how the Date object works.

[–] 30p87@feddit.org 2 points 1 month ago (1 children)

Assuming there are no Bugs/"Features". Which certain companies, which are also amongst the luckiest bugfinders, wouldn't disclose at that level.

[–] vivi@slrpnk.net 3 points 1 month ago (1 children)

Well, undiscovered vulnerabilities are kind of a special case. You can't do anything about those except turn off your pc entirely. Using NoScript isn't necessarily going to help with those.

[–] 30p87@feddit.org 2 points 1 month ago* (last edited 1 month ago)

Depends. I mean stuff like undocumented/hidden properties of Objects leaking more infos than it should, which NoScript does help against. Or creative thinking, like timing certain actions (eg. drawing a canvas) to get a fingerprint and vague information about your system.

Of course, actual RCE/leaking (eg. arbitrary (process) memory reading) in the JS engine itself is another story.