#1 Privacy Tip - Disable Javascript

I’ve disabled javascript in the browser for long time, for all but a very small handful of trusted sites, but most people are unaware and ignorantly won’t for the sake of convenience. It is the #1 tool used to violate user privacy, even if you are using the Tor Browser.

If a site won’t display or operate correctly without javascript then give it a wide berth IMHO.

Alternatively you could access it with javascript enabled via Tor Browser in a Tails or Whonix VM, although sites that track in this manner also tend to block Tor exit nodes.


I’d say it’s #1 for security, for privacy - it’s a big factor, but far from being panacea, unfortunately…

That depends - if the scripts are loaded from site or CDN then you could argue there is a privacy issue but from a security POV - if you are browsing reponsibly javascript is as harmful as html.

If the script is loaded from site the only effect you will get is a dysfunctional site.

As developer - when working with frontends - I am often using javascript to pull data from API - to filter the DOM on the fly based on user criteria e.g. text entered in the search field - and other DOM related tasks - dynamically displaying data, sorting, filtering you name it.


Very important cog though. Nearly all tracking these days is done through fingerprinting. Not even TOR browser is immune from that, although slightly less info is exposed.

Fingerprinting is only possible if javascript is enabled.

LOL. Silly statement.

Tracking scripts are now rarely loaded from a separate URL as they can be easily blocked by addons like uBlock. They are much more likely to be intermingled within the site URL scripts.

Cross domain scripting attacks are also much less common, the hackers have evolved.

Who cares how you are using it? Javascript is dangerous to the end user of a public internet site.

Asycnronously data retrieval, manipulate the BOM, filter data in the UI … companies that force javascript on users to make their site functional will have far more tracking code in it than UI manipulation code. Tis the way of the world.

Enabling javascript in my browser allows developers like you access to details about my system, and the potential to do malicious damage. Why should anyone trust you or the company you work for?

Of course internal corporate intranet sites are a different kettle of fish, although the merits of using javascript as a cross platform app development framework is quite another topic.

1 Like

Nope, there is much more advanced tracking techniques including:

  • cookies
  • xss requests
  • favicons
  • visited links highlight (YES!!! :exploding_head:)
  • base64 encoded images from css (there’s no way at all around it, what are you gonna do, turn off images?! :upside_down_face:)
  • some inline injections

So…really if you want to mitigate all that you’d got only chance of doing so by using text browser maybe, and even then i’m not perfectly sure what can be done / injected via php on server side, coz there are a lot of holes… :laughing:

Unfortunately one have to evaluate risks and compartmentalize between:

  • daily routines
  • work
  • potentially dangerous / shady stuff (Whonix / Qubes / Tails etc)

Not at all, it’s still a very effective technique on a large scale, because of people doesn’t care & soydevery! :upside_down_face:

As both developer and privacy conscious user i’d have to agree and disagree :slight_smile:

Yes it’s super dangerous (and users should be educated on how to mitigate it on their ends), but in business JavaScript = money (and i don’t mean malicious JavaScript necessary, you can use very small set of functionality without bloat), so nobody gives a crap about your privacy and never will except yourself.

And again, if you think that client side is biggest problem - oh you’re dead wrong, php and server side stuff is absolutely a swiss cheese :cheese: , it’s one of the biggest targets always and always will be which is out of your control.

To me using internet is dangerous as a concept, you’ll never be safe unless unplugged completely.

1 Like

Of course, there are literally hunderds of techniques used, but fingerprinting is currently considered the most reliable by Big Data when collating info by identity. This is because people don’t disable it, or even know what it is.

Other data is also used, but aggregated profiles rely heavily on fingerprinting.

Cookies, super cookies, canvas elements, url injections, different image based techniques, etc … all still need to be mitigated against with user.js config settings and specific addons.

I know how business works, particularly at the macro level, which is precisely why I am so privacy conscious. I get it, but as a home user I just don’t care.

The handful of sites I need to run with javascript are all done within a VM, either a live envinonment with custom profile user.js, or Tails / Whonix.

I am talking here strictly about client side javascipt executing in the browser … the enormous javascript frameworks that incorporate both client and server layers are not really in scope for this particular discussion.

Not fear based for me, more frustration, just want to obfuscate and make it as hard as possible for them.

Of course if you use Chrome none of this matters, Google will track you using your unique ID within the browser. These people deserve to be mercilessly exploited tracked.

1 Like

I just gave it a try and deactivated all javascript with ublock origin. But that basically stops most of the webpages from working. No home banking, reduced qwant search engine integration in firefox, not even this forum is working as it should. I ended up creating many(!) exceptions. Not sure if that is sustainable for me…

I mean…Yeah i agree with the statement, it will certainly work against advertisement and big-data crowd.

However, there’s also one big problem with security - if somebody is REALLY hunting on you - it will be very easy to detect and target someone without JavaScript and couple of advanced non-js technieue points to be 100% unique :laughing:

To me it’s freedom based :+1:

Takes more than a few of uBlock rules and an hour or two, it requires a different way of thinking & working. Most people are apathetic and just shrug, seems like too much effort.


This is how the bad guys win.

1 Like