Hacker News new | past | comments | ask | show | jobs | submit login

I don't understand this bit:

> But there's a third issue: websites can easily determine whether you have allowed JavaScript for them, and if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity.

How would this work exactly? And if it did work, wouldn't it at the very worst only work on sites for which you had enabled JS? I.e. sites that you had already essentially conceded your anonymity on by choice?

I don't see this as a worthy argument for enabling JS by default and destroying users' anonymity without custom configuration.




You just let the javascript send a heartbeat ping. If you don't receive the ping but served the page you can determine that the user agent did not execute the javascript.


Sure, but the comment mentions that you would use the 'set of websites that are whitelisted' as an identifier... your method can only check the site you are currently on, it doesn't give you information on if other websites have been whitelisted or not.


AFAIK NoScript whitelists don't respect first-party isolation (so a JS-enabled website can be included in a JS-disabled website), which makes it a relatively simple coordination problem between website A and B (possibly automated by a third-party tracker included in both A and B).

In any case, first-party isolation can be subverted: https://news.ycombinator.com/item?id=17947605


Yes, with coordination it is possible. I was thinking of the non-coordination issue.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: