As a security-conscious user, I’ve used NoScript since Firefox’s early days, but its restrictive nature has become frustrating. I’m often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.

Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?

by sensitive information I’m referring to

  • local machine time
  • local machine ram
  • local machine operating system + version
  • local machine hardware
  • Serial Number
  • Hardware ID
  • UUID
  • Windows Device ID
  • Windows Product ID

greatly appreciate any insight

EDIT:

could be possible solution

https://discuss.grapheneos.org/d/16025-vanadium-and-what-to-use-on-desktop/19

LibreJS: GNU LibreJS aims to address the JavaScript problem described in Richard Stallman’s article The JavaScript Trap.

JShelter: Mitigates potential threats from JavaScript, including fingerprinting, tracking, and data collection. Slightly modifies the results of API calls, differently on different domains, so that the cross-site fingerprint is not stable. Applies security counter-measures that are likely not to break web pages. Allows fine-grained control over the restrictions and counter-measures applied to each domain.

  • JShelter
    • tested on reddit, could work
  • wizardbeard@lemmy.dbzer0.comEnglish
    61·
    4 hours ago

    Harsh question: Do you have a real need to prevent this data from being collected, or are you investigating just for funsies best practice advice? There are a lot of posts like this where people overestimate the threat model they have and insist on needing to block things that are nearly impossible to, or at least have significant tradeoffs like you are dealing with now.

    Javascript is also not the only source that sites can use for these pieces of info from your machine. Local time in particular can be estimated by looking up the rough location of your IP address then matching to a time zone.

    Anyway.

    I would assume you could technically fork localCDN (replaces remote javascript libraries with local copies) and then manually edit the local javascript library copies to remove the calls you are concerned about.

    There’s also options like uBlock Origin’s methods of only whitelisting specific scripts. Much more flexible than NoScript. You can block scripts that are third party and only allow site specific ones fairly easily, without digging deep into the settings.

    Bear in mind that your specific combination of installed extensions can also be a unique identifier though.

    • happeningtofry99158@lemmy.worldOP
      2·
      1 hour ago

      Do you have a real need to prevent this data from being collected

      maybe

      or are you investigating just for best practice advice?

      yes

      There are a lot of posts like this where people overestimate the threat model they have and insist on needing to block things that are nearly impossible to, or at least have significant tradeoffs like you are dealing with now

      could you explain why it is nealy impossible from only blocking javascript from attaining "local machine operating system + version "? I don’t think this kind of information is relevant for webpage displaying. I dont think webpage will break if we ban js from doing so

      I would assume you could technically fork localCDN (replaces remote javascript libraries with local copies) and then manually edit the local javascript library copies to remove the calls you are concerned about.

      that could work I guess when I have enough js knowledge

      There’s also options like uBlock Origin’s methods of only whitelisting specific scripts. Much more flexible than NoScript. You can block scripts that are third party and only allow site specific ones fairly easily, without digging deep into the settings.

      is it possible to adjust uBlock Origin whitelisting and disallow js that retrieve "local machine operating system + version " from running?

      Bear in mind that your specific combination of installed extensions can also be a unique identifier though.

      Does this mean website can see all the extensions I installed?

  • jet@hackertalks.comEnglish
    3·
    9 hours ago

    Depends what you mean by local information

    Your best method:

    Use a socksv5 proxy with your browser so it can’t connect to localhost

    Use a incognito browser for the login session

    • happeningtofry99158@lemmy.worldOP
      3·
      8 hours ago

      by sensitive information I’m referring to

      • local machine time
      • local machine ram
      • local machine operating system + version
      • local machine hardware
      • Serial Number
      • Hardware ID
      • UUID
      • Windows Device ID
      • Windows Product ID

      Can I prevent javascript from running specific command that retrieve these information?

      • jet@hackertalks.comEnglish
        51·
        8 hours ago

        If any of that information is critical, you should not be running JavaScript. You should remote into a virtual machine and then browse from there.

        Even the tor browser bundle gives away machine architecture

          • jet@hackertalks.comEnglish
            51·
            8 hours ago

            your not wrong, but every browser exposes it via javascript. so if that is part of your threat model you can’t use a local browser.

    • happeningtofry99158@lemmy.worldOP
      2·
      8 hours ago

      Use a socksv5 proxy with your browser so it can’t connect to localhost

      Website is able to get info of localhost?

      Does this mean they are able to see what docker container I’m hosting?

      • jet@hackertalks.comEnglish
        1·
        7 hours ago

        many browsers allow connection to localhost ports, this is how discord opens discord links in the app and not the browser on people’s desktop computers.

        • happeningtofry99158@lemmy.worldOP
          1·
          7 hours ago

          I see, could you link to an article or video that explains more about how this is achieved? Is there a browser extension to disable a website from accessiing localhost connection?

          • jet@hackertalks.comEnglish
            1·
            7 hours ago

            socksv5 proxies, or you could dig into the settings and find a option to disable local connections (not sure where)

  • 0x01@lemmy.ml
    2·
    8 hours ago

    Javascript can’t generally access your local machine directly, but scoped local data like cookies are available. What in particular are you nervous about? You could run your browser in a virtual machine?

    • happeningtofry99158@lemmy.worldOP
      1·
      8 hours ago

      by sensitive information I’m referring to

      • local machine time
      • local machine ram
      • local machine operating system + version
      • local machine hardware
      • Serial Number
      • Hardware ID
      • UUID
      • Windows Device ID
      • Windows Product ID

      Can I prevent javascript from running specific command that retrieve these information?

      • 0x01@lemmy.ml
        2·
        6 hours ago

        You could monkeypatch some javascript functions like the constructor Date types, but there will always be things not thought of that will leak date info. Hardware identifiers are quite difficult to get in javascript and several browsers already obfuscate that info.

        Honestly if you’re very concerned, I really do think a virtual machine is your absolute safest approach, obviously the browsing experience is worse.

        Check out amiunique.org to see what fingerprinting is generally available in your current browser