this post was submitted on 23 Jun 2025
26 points (96.4% liked)

Privacy

3378 readers
10 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 8 months ago
MODERATORS
fxomt@lemmy.dbzer0.com
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
fxomt@piefed.social
26
Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages? (lemmy.world)
submitted 1 month ago by cm0002@lemmy.world to c/privacy@lemmy.dbzer0.com
11 comments fedilink hide all child comments
 

Original question by @happeningtofry99158@lemmy.world

As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.

Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?

by sensitive information I'm referring to

  • local machine time
  • local machine ram
  • local machine operating system + version
  • local machine hardware
  • Serial Number
  • Hardware ID
  • UUID
  • Windows Device ID
  • Windows Product ID
  • ...

greatly appreciate any insight

top 11 comments
sorted by: hot top controversial new old
[–] NaibofTabr 5 points 1 month ago

I've been using JShelter which provides a few different options for handling page load failures. It also works on Firefox mobile.

A couple notes:

  • You can be fingerprinted by the extensions you have installed in your browser. This is really difficult to circumvent, because if certain pieces of a website's code never load on your system and never send expected responses to the server then the server definitely knows that. The more uncommon extensions you have installed, the more identifiable you are - and you're already in a minority as a Firefox user.
  • More and more websites are behind Cloudflare (mostly because of DDoS attacks) and JShelter will typically break Cloudflare's filter which attempts to block bots. I've found that disabling just the fingerprint detector usually allows access to sites that have this protection.
[–] vivi@slrpnk.net 4 points 1 month ago* (last edited 1 month ago) (1 children)

Browser JavaScript is already sandboxed, so there is a limit to the info that can be accessed, though it does expose some of basic information you've listed.

To the best of my knowledge, the only items that can be accessed from the ones you listed are:

  • current time (by creating a Date object)
  • operating system and version (though this is usually not precise info and only provides a rough version)

an example of the info that can be accessed (via the navigator property) for a Windows pc is:

# platform = Win32
# appCodeName = Mozilla
# appName = Netscape
# appVersion = 5.0 (Windows; en-US)
# language = en-US
# mimeTypes = [object MimeTypeArray]
# oscpu = Windows NT 5.1
# vendor = Firefox
# vendorSub = 1.0.7
# product = Gecko
# productSub = 20050915
# plugins = [object PluginArray]
# userAgent = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

As you can see it's not a whole lot of information. Certainly there is no way to get the serial number or other hardware information. Also, local files cannot be accessed without permission.

There are some user agent spoofer addons that will change the user agent string. I am not sure but i imagine some of those also allow overriding this navigator information to anonymize that data further. Preventing accessing the user's time zone would be pretty impossible though given how the Date object works.

[–] 30p87@feddit.org 2 points 1 month ago (1 children)

Assuming there are no Bugs/"Features". Which certain companies, which are also amongst the luckiest bugfinders, wouldn't disclose at that level.

[–] vivi@slrpnk.net 3 points 1 month ago (1 children)

Well, undiscovered vulnerabilities are kind of a special case. You can't do anything about those except turn off your pc entirely. Using NoScript isn't necessarily going to help with those.

[–] 30p87@feddit.org 2 points 1 month ago* (last edited 1 month ago)

Depends. I mean stuff like undocumented/hidden properties of Objects leaking more infos than it should, which NoScript does help against. Or creative thinking, like timing certain actions (eg. drawing a canvas) to get a fingerprint and vague information about your system.

Of course, actual RCE/leaking (eg. arbitrary (process) memory reading) in the JS engine itself is another story.

[–] lambalicious@lemmy.sdf.org 2 points 1 month ago (1 children)

local machine time

local machine ram

I'd venture the only way to block those is to either recompile the browser or somehow use a separate Javascript engine that doesn't provide that info, as it's pretty foundational (as some people mention, localtime is accessible simply by constructing a Date object).

[–] outhouseperilous@lemmy.dbzer0.com 1 points 1 month ago* (last edited 1 month ago) (1 children)

Qubes? Every window its own vm?

[–] lambalicious@lemmy.sdf.org 1 points 1 month ago (1 children)

I feel that would be incredibly wasteful (and a browsing session can be several windows, too) for marginal zero or even negative net gain. Browsing would also need to set isolation profiles, because for some tabs, sites or windows you'd certainly want to have access to your localtime (plus it be precise enough). Ditto for each and every potential variable.

The truth is, not everything needs to be containerized.

[–] outhouseperilous@lemmy.dbzer0.com 1 points 1 month ago

You're right. Wall of pi's and a kvm switch.

[–] nimble@lemmy.blahaj.zone 1 points 1 month ago

Disable webgl if you haven't already

[–] who@feddit.org 1 points 1 month ago* (last edited 1 month ago)

The Tor Browser and Firefox's Resist Fingerprinting mode hide some of the things that can be used to identify your system, but there is no way to hide them all. Short of avoiding all sites that you don't completely trust, disabling scripts is the best protection available.

multiple scripts running on different domains

Off-site scripts can be blocked on a per-site basis with browser extensions like uMatrix (discontinued by still functional) and uBlock Origin (still maintained but harder to use for this purpose). To be clear, these scripts run on your machine, regardless of where they come from.