Is there a way to block browser JavaScript from executing commands that retrieve sensitive informati
fedilink
32
Is there a way to block browser JavaScript from executing commands that retrieve sensitive informati
fedilink

As a security-conscious user, I’ve used NoScript since Firefox’s early days, but its restrictive nature has become frustrating. I’m often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.

Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?

by sensitive information I’m referring to

  • local machine time
  • local machine ram
  • local machine operating system + version
  • local machine hardware
  • Serial Number
  • Hardware ID
  • UUID
  • Windows Device ID
  • Windows Product ID

greatly appreciate any insight

EDIT:

could be possible solution

https://discuss.grapheneos.org/d/16025-vanadium-and-what-to-use-on-desktop/19

  • LibreJS: GNU LibreJS aims to address the JavaScript problem described in Richard Stallman’s article The JavaScript Trap.
  • JShelter: Mitigates potential threats from JavaScript, including fingerprinting, tracking, and data collection. Slightly modifies the results of API calls, differently on different domains, so that the cross-site fingerprint is not stable. Applies security counter-measures that are likely not to break web pages. Allows fine-grained control over the restrictions and counter-measures applied to each domain.

@bjoern_tantau@swg-empire.de

Most of those things cannot be collected through JavaScript.

Local time can.

RAM can only be approximated to protect user privacy. Edit: And it’s not available on Firefox.

OS+version are already in your browser’s user-agent string that is sent out with every request you make.

Machine hardware cannot be enumerated. JavaScript can try to guess your GPU based on what it can do with WebGL.

There is no way to get a serial number or similar.

To spoof timezone/OS+version/browser+version … and disable WebGL, use https://sereneblue.github.io/chameleon/

@wizardbeard@lemmy.dbzer0.com
link
fedilink
55d

Harsh question: Do you have a real need to prevent this data from being collected, or are you investigating just for funsies best practice advice? There are a lot of posts like this where people overestimate the threat model they have and insist on needing to block things that are nearly impossible to, or at least have significant tradeoffs like you are dealing with now.

Javascript is also not the only source that sites can use for these pieces of info from your machine. Local time in particular can be estimated by looking up the rough location of your IP address then matching to a time zone.

Anyway.

I would assume you could technically fork localCDN (replaces remote javascript libraries with local copies) and then manually edit the local javascript library copies to remove the calls you are concerned about.

There’s also options like uBlock Origin’s methods of only whitelisting specific scripts. Much more flexible than NoScript. You can block scripts that are third party and only allow site specific ones fairly easily, without digging deep into the settings.

Bear in mind that your specific combination of installed extensions can also be a unique identifier though.

@happeningtofry99158@lemmy.world
creator
link
fedilink
25d

Do you have a real need to prevent this data from being collected

maybe

or are you investigating just for best practice advice?

yes

There are a lot of posts like this where people overestimate the threat model they have and insist on needing to block things that are nearly impossible to, or at least have significant tradeoffs like you are dealing with now

could you explain why it is nealy impossible from only blocking javascript from attaining "local machine operating system + version "? I don’t think this kind of information is relevant for webpage displaying. I dont think webpage will break if we ban js from doing so

I would assume you could technically fork localCDN (replaces remote javascript libraries with local copies) and then manually edit the local javascript library copies to remove the calls you are concerned about.

that could work I guess when I have enough js knowledge

There’s also options like uBlock Origin’s methods of only whitelisting specific scripts. Much more flexible than NoScript. You can block scripts that are third party and only allow site specific ones fairly easily, without digging deep into the settings.

is it possible to adjust uBlock Origin whitelisting and disallow js that retrieve "local machine operating system + version " from running?

Bear in mind that your specific combination of installed extensions can also be a unique identifier though.

Does this mean website can see all the extensions I installed?

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 124 users / day
  • 1.05K users / week
  • 1.3K users / month
  • 4.58K users / 6 months
  • 1 subscriber
  • 3.85K Posts
  • 97.2K Comments
  • Modlog