[kodablah]

Is there a way to take another approach of preventing dynamic data from getting back without an explicit opt-in from the user? This will never happen of course on the regular internet, but for hidden services or some other static-page-only-unless-opt-in surely even if fingerprinting information can be obtained, can we block it from getting back to the host?

[roywiggins]

It seems like a losing battle to me. You'd have to prevent Javascript inserting links into the DOM (it could stick parameters in the URL), inserting images (similar), loading any assets from anywhere programmatically, any AJAX requests, any redirects, setting any cookies... and probably more besides.

...and eventually you'd have some chap like the OP here who will come up with a clever way to exfiltrate information somehow anyway.

[deadowl]

Even updating only 100ms at a time, you could statistically infer much smaller intervals if you're able to cross-reference timestamps.