[mrex]

>Just makes no sense to have such a complex system

It's not that complex, it really can be reduced to what the browser already does: attempts to render web pages best for the display, without full hinting from the server-side.

In the end, what I'm getting at is that browsers should start viewing any page in an untrusted mode, and this mode should dramatically limit available fingerprint features to the most minimal subset that provides an acceptable user experience.

[O__________O]

No. Whole point of disabling long list of functionality mentioned in the article is so that — no - code is executed via that functionality on the device at all. You are suggesting something that go against whole point of turning it off. Browser already operates in “untrusted” mode. Apple’s iPhone systems and hardware are not designed to be separated. Even if the hardware was duplicated and completely isolated, the secure hardware would be in close physical proximity to non-secure hardware and as a result would be vulnerable to side-channels leaks and/or attacks.

You also are ignoring that a challenge-response counter-measures by the attacker would require direct and real-time action from the targeted users; CAPTCHA is a type of real-time challenge-response combined with private information would confirm that the target user is actively using the device being targeted.

If you think you understand something I don’t that’s fine, but I clearly neither understand what you’re trying to communicate, nor agree with what little I believe I do and have repeatedly attempted to explain why and you have repeatedly ignored my points. If I have ignore a material point made by you, please explicitly point it out.

[mrex]

>Browser already operates in “untrusted” mode.

My guy, there's a difference between legitimate confusion and this sort of aggressively refusing to get the point.

Clearly I'm not referring to sandboxing or app privileges, I'm referring to how your browser assumes any site that's able to send it some Javascript should automatically expect that Javascript to run, or WebGL, or WebAssembly, or whatever monstrosity.

Fundamentally the web was built with the assumption that any resource loaded was an intentional act by a user, or by a process directly authorized by a user.

Over time, the internet has drifted to a one-protocol town, and that assumption by the designers of the protocol is breaking down as the protocol becomes everything to everyone. Trust boundaries and user controls are NOT evolving in time with the protocol capabilities, and worse, protocol development has largely become a fox guarding the henhouse as the main browser developers ultimately responsible for defining the de facto protocol suite, Google and Microsoft, each vie for advertiser dollars and market ubiquity by transforming web browsers into operating systems.

[O__________O]

No longer replying, if you use Apple products, based on your needs, consider looking for other options.

And no, lockdown mode should not enable or task users with authorizing file-by-file, line—by-line, etc blacklisted technologies; believe some of the off by default functionalities are able to be whitelist per domain, but might be wrong.

Also, you clearly and repeatedly stated you wanted to simulate running the code to “spoof” devices profile to evade fingerprinting — you, not I are the one intentionally causing issues in this thread, by repeatedly changing your stated intent.

Good luck, stay safe.