Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?
-
Original question by @[email protected]
As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.
Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?
by sensitive information I'm referring to
- local machine time
- local machine ram
- local machine operating system + version
- local machine hardware
- Serial Number
- Hardware ID
- UUID
- Windows Device ID
- Windows Product ID
- ...
greatly appreciate any insight
I've been using JShelter which provides a few different options for handling page load failures. It also works on Firefox mobile.
A couple notes:
- You can be fingerprinted by the extensions you have installed in your browser. This is really difficult to circumvent, because if certain pieces of a website's code never load on your system and never send expected responses to the server then the server definitely knows that. The more uncommon extensions you have installed, the more identifiable you are - and you're already in a minority as a Firefox user.
- More and more websites are behind Cloudflare (mostly because of DDoS attacks) and JShelter will typically break Cloudflare's filter which attempts to block bots. I've found that disabling just the fingerprint detector usually allows access to sites that have this protection.
-
Browser JavaScript is already sandboxed, so there is a limit to the info that can be accessed, though it does expose some of basic information you've listed.
To the best of my knowledge, the only items that can be accessed from the ones you listed are:
- current time (by creating a Date object)
- operating system and version (though this is usually not precise info and only provides a rough version)
an example of the info that can be accessed (via the navigator property) for a Windows pc is:
# platform = Win32 # appCodeName = Mozilla # appName = Netscape # appVersion = 5.0 (Windows; en-US) # language = en-US # mimeTypes = [object MimeTypeArray] # oscpu = Windows NT 5.1 # vendor = Firefox # vendorSub = 1.0.7 # product = Gecko # productSub = 20050915 # plugins = [object PluginArray] # userAgent = Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7As you can see it's not a whole lot of information. Certainly there is no way to get the serial number or other hardware information. Also, local files cannot be accessed without permission.
There are some user agent spoofer addons that will change the user agent string. I am not sure but i imagine some of those also allow overriding this navigator information to anonymize that data further. Preventing accessing the user's time zone would be pretty impossible though given how the Date object works.
Assuming there are no Bugs/"Features". Which certain companies, which are also amongst the luckiest bugfinders, wouldn't disclose at that level.
-
Assuming there are no Bugs/"Features". Which certain companies, which are also amongst the luckiest bugfinders, wouldn't disclose at that level.
Well, undiscovered vulnerabilities are kind of a special case. You can't do anything about those except turn off your pc entirely. Using NoScript isn't necessarily going to help with those.
-
Well, undiscovered vulnerabilities are kind of a special case. You can't do anything about those except turn off your pc entirely. Using NoScript isn't necessarily going to help with those.
wrote last edited by [email protected]Depends. I mean stuff like undocumented/hidden properties of Objects leaking more infos than it should, which NoScript does help against. Or creative thinking, like timing certain actions (eg. drawing a canvas) to get a fingerprint and vague information about your system.
Of course, actual RCE/leaking (eg. arbitrary (process) memory reading) in the JS engine itself is another story.
-
Original question by @[email protected]
As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.
Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?
by sensitive information I'm referring to
- local machine time
- local machine ram
- local machine operating system + version
- local machine hardware
- Serial Number
- Hardware ID
- UUID
- Windows Device ID
- Windows Product ID
- ...
greatly appreciate any insight
local machine time
local machine ram
I'd venture the only way to block those is to either recompile the browser or somehow use a separate Javascript engine that doesn't provide that info, as it's pretty foundational (as some people mention, localtime is accessible simply by constructing a Date object).
-
Original question by @[email protected]
As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.
Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?
by sensitive information I'm referring to
- local machine time
- local machine ram
- local machine operating system + version
- local machine hardware
- Serial Number
- Hardware ID
- UUID
- Windows Device ID
- Windows Product ID
- ...
greatly appreciate any insight
wrote last edited by [email protected]The Tor Browser and Firefox's Resist Fingerprinting mode hide some of the things that can be used to identify your system, but there is no way to hide them all. Short of avoiding all sites that you don't completely trust, disabling scripts is the best protection available.
multiple scripts running on different domains
Off-site scripts can be blocked on a per-site basis with browser extensions like uMatrix (discontinued by still functional) and uBlock Origin (still maintained but harder to use for this purpose). To be clear, these scripts run on your machine, regardless of where they come from.
-
local machine time
local machine ram
I'd venture the only way to block those is to either recompile the browser or somehow use a separate Javascript engine that doesn't provide that info, as it's pretty foundational (as some people mention, localtime is accessible simply by constructing a Date object).
wrote last edited by [email protected]Qubes? Every window its own vm?
-
Qubes? Every window its own vm?
I feel that would be incredibly wasteful (and a browsing session can be several windows, too) for marginal zero or even negative net gain. Browsing would also need to set isolation profiles, because for some tabs, sites or windows you'd certainly want to have access to your localtime (plus it be precise enough). Ditto for each and every potential variable.
The truth is, not everything needs to be containerized.
-
I feel that would be incredibly wasteful (and a browsing session can be several windows, too) for marginal zero or even negative net gain. Browsing would also need to set isolation profiles, because for some tabs, sites or windows you'd certainly want to have access to your localtime (plus it be precise enough). Ditto for each and every potential variable.
The truth is, not everything needs to be containerized.
You're right. Wall of pi's and a kvm switch.
-
Original question by @[email protected]
As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.
Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?
by sensitive information I'm referring to
- local machine time
- local machine ram
- local machine operating system + version
- local machine hardware
- Serial Number
- Hardware ID
- UUID
- Windows Device ID
- Windows Product ID
- ...
greatly appreciate any insight
Disable webgl if you haven't already
