[linux-elitists] Browser fingerprinting
James A. Donald
jamesd at echeque.com
Tue Oct 15 04:51:46 PDT 2013
On 2013-10-15 19:54, Cathal Garvey wrote:
>> with folks that refuse to run JavaScript
> Not "JavaScript"; "Unverified, potentially malicious code with a
> rich history of exploits inside a frame I use to navigate the online
> world". It wouldn't matter if the code was LISP or Python; the problem
> isn't the language, it's the context.
>
> That said, I do run Javascript, albiet through NoScript. I just wish
> there were more fine-grained policy restrictions I could place on it,
> such as "No XmlHttpRequest/Websocket" or "No browser introspection
> (fonts, boundaries, etc.)", and let webapps that are trying to
> fingerprint me without my permission just crash and burn.
Javascript can be controlled by being recompiled into the Caja subset of
javascript.
In practice, however, this is only done when a server controlled by one
organization is generating a web page containing javascript controlled
by another organization - Caja is used to protect one website against
another, but not used to protect the client against the website.
More information about the cypherpunks
mailing list