[3np]

It’s been a while but IIRC as long as there’s JS it can be gotten implicitly by probing and comparing dimensions of elements and viewport on the page.

We could question if that’s really necessary as well but the ship has kind of sailed on that one.

[egeozcan]

IMHO, even when sand-boxed, allowing a fully Turing-complete language with such a vast selection of available APIs to run on page load per default is what kills privacy.

People should be trained to allow script execution only when they trust the site, and there should be levels: Zero, Fully Isolated, Trusted.

OK now time to wait for someone to tell me this will be too much to ask from users. It wouldn't be an invalid point either, we can't even train people to have some common sense when in control of tons of steel going fast loaded with highly flammable liquids... So, there's that.

I don't know.

[HWR_14]

It's not even per page. I don't care if I trust that page, I don't want any FB scripts to run. There are so many external libraries included (loaded from a CDN they do not control) that I don't trust any developer to know with 100% certainty what their app includes.

[CapsAdmin]

Maybe something like randomizing the variables in a realistic way across many sessions where the real session is controlled and viewed directly by the user.

I don't think it would work when there's a state across views or server though, but maybe that's something you avoid when using Tor anyway?