undefined | Better HN

0 pointsstrbean5y ago0 comments

I don't understand this bit:

> But there's a third issue: websites can easily determine whether you have allowed JavaScript for them, and if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity.

How would this work exactly? And if it did work, wouldn't it at the very worst only work on sites for which you had enabled JS? I.e. sites that you had already essentially conceded your anonymity on by choice?

I don't see this as a worthy argument for enabling JS by default and destroying users' anonymity without custom configuration.

0 comments

slashink5y ago

You just let the javascript send a heartbeat ping. If you don't receive the ping but served the page you can determine that the user agent did not execute the javascript.

cortesoft5y ago

Sure, but the comment mentions that you would use the 'set of websites that are whitelisted' as an identifier... your method can only check the site you are currently on, it doesn't give you information on if other websites have been whitelisted or not.

flotzam5y ago

AFAIK NoScript whitelists don't respect first-party isolation (so a JS-enabled website can be included in a JS-disabled website), which makes it a relatively simple coordination problem between website A and B (possibly automated by a third-party tracker included in both A and B).

In any case, first-party isolation can be subverted: https://news.ycombinator.com/item?id=17947605

1 more reply

j / k navigate · click thread line to collapse