[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-elitists] Browser fingerprinting
- To: [email protected]
- Subject: [linux-elitists] Browser fingerprinting
- From: [email protected] (James A. Donald)
- Date: Tue, 15 Oct 2013 21:51:46 +1000
- In-reply-to: <20131015105404.097eac36@Neptune>
- References: <[email protected]> <1381804027490.ae5de89b@Nodemailer> <20131015105404.097eac36@Neptune>
On 2013-10-15 19:54, Cathal Garvey wrote:
>> with folks that refuse to run JavaScript
> Not "JavaScript"; "Unverified, potentially malicious code with a
> rich history of exploits inside a frame I use to navigate the online
> world". It wouldn't matter if the code was LISP or Python; the problem
> isn't the language, it's the context.
>
> That said, I do run Javascript, albiet through NoScript. I just wish
> there were more fine-grained policy restrictions I could place on it,
> such as "No XmlHttpRequest/Websocket" or "No browser introspection
> (fonts, boundaries, etc.)", and let webapps that are trying to
> fingerprint me without my permission just crash and burn.
Javascript can be controlled by being recompiled into the Caja subset of
javascript.
In practice, however, this is only done when a server controlled by one
organization is generating a web page containing javascript controlled
by another organization - Caja is used to protect one website against
another, but not used to protect the client against the website.