A firefox extension called Chameleon can spoof things like user agent, screen size and resolution, time zone, audio and media devices, and keyboard fingerprint, among others. It can also prevent etag tracking.
this post was submitted on 23 Jun 2025
50 points (94.6% liked)
Open Source
38197 readers
205 users here now
All about open source! Feel free to ask questions, and share news, and interesting stuff!
Useful Links
- Open Source Initiative
- Free Software Foundation
- Electronic Frontier Foundation
- Software Freedom Conservancy
- It's FOSS
- Android FOSS Apps Megathread
Rules
- Posts must be relevant to the open source ideology
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
- !libre_culture@lemmy.ml
- !libre_software@lemmy.ml
- !libre_hardware@lemmy.ml
- !linux@lemmy.ml
- !technology@lemmy.ml
Community icon from opensource.org, but we are not affiliated with them.
founded 5 years ago
MODERATORS
thank you so much
It's basically impossible to block everything, although most of what you listed in a comment is unavailable to websites. To minimize what is available you can use ublock origin, umatrix and user-agent switcher.
I've been using ublock origin for the longest time. Set it up in advanced mode and block all 3rd party domains by default. I know it can block individual line items during the js interpretation stage based on matches to plugins like anti-malware scripts. I tend to whitelist some domains I trust on all domains and I'll even blacklist some domains I don't ever trust on other domains (like facebook and anything with px in the name).
Ultimately - the more protection you put in place, the more likely you will stand out to fingerprinting. They don't give a shit about user agent descriptions. They look at things like how does your browser render a semi-transparent pixel when aliased ontop of something else. What HTML5 Canvas features does your browser support. Attempt to run this list of scripts and see which ones fail. All of that helps make a non-unique print of your browser that hints at an identity even without your Windows Device ID.
What HTML5 Canvas features does your browser support
Would you recommend disabling canvas?
No, not really. I just take an opt-in to js approach to the internet. It won't perfectly hide me from databroker fingerprinting - but that's hard to do unless you want to just use TOR for your everyday browser experience and that's too paranoid for me.
I wish tools like ad-block would allow everything to render download in the background but just block things like ads from rendering. That would prevent ad block detectors from knowing they are being blocked,
That defeats the privacy and bandwidth reasons you'd want to use uBlock but that's close to the operating idea of AdNauseam.
how does ad render in the background compromise privacy?
Usual tracking and fingerprinting issues. Would need to sandbox it to make it secure, but that then makes the fake traffic easier to identify. Not worth it in the end.
I'm still bit confused. How rendering could result in fingerprinting? If canvas and other fingerprinting is disabled of course. how is ad render different from rendering other element on a webpage
A lot of the Javascript attributes used for fingerprinting are used to decide WHAT to render and to cache settings so things work smoothly the next time you come back.
For example, the amount of RAM, your WebGL settings and version, presence of audio, mic, and camera, and screen dimensions are all relevant to a game, a browser-based video-conferencing app, or WebASM based tools like Figma.
And unless you want an app to do a full check each time it returns to foreground, it will likely cache those settings in a local store so it can quickly look it up.
If the app needs to send some of this data to the cloud so the server changes what it sends up, they now also have your IP address, rough reverse IP coordinates via ISP, and time. You can use VPN or Tor to obfuscate IP addresses, but you have to remember to turn that on each time you use the app, and in the case of VPN, to disconnect/reconnect to a random server to semi-randomize your IP (or use Tor, which does this for you).
But to answer the first question, changing or disabling those settings could break a bunch of features, especially Single-Page Applications, those using embedded analytics, or any amount of on-device graphics.
What is meant by "sensitive information" here? Browsers can't just willy-nilly access your local files or something like that. The one thing I can think of is using JavaScript to collect information that can be used to identify you. (Is that "sensitive"? I'd put that in "identifying information".) My honest suggestion is to keep using NoScript and just allow as few domains as possible. The next best option is to stop using websites that break without JavaScript when there's no reason why they'd need it.
I can imagine there being a plugin that spoofs some common ways that allow sites to identify you cross-sessions / browser / websites without your consent, but blocking JavaScript (by default) is likely one of the best ways to reduce the amount of information collected about you. When you do find such a plugin, check out one of the "browser fingerprint" testing sites to see how unique your fingerprint is.
(That is, if I even understood the request properly in regards to the "sensitive information" bit.)
by sensitive information I'm referring to
- local machine time
- local machine ram
- local machine operating system + version
- local machine hardware
- Serial Number
- Hardware ID
- UUID
- Windows Device ID
- Windows Product ID
- ...
Can I prevent javascript from running specific command that retrieve these information?
I found chameleon which spoof local machine operating system + version and browser information. But I'm not sure about other information
Most of those things cannot be collected through JavaScript.
Local time can.
RAM can only be approximated to protect user privacy. Edit: And it's not available on Firefox.
OS+version are already in your browser's user-agent string that is sent out with every request you make.
Machine hardware cannot be enumerated. JavaScript can try to guess your GPU based on what it can do with WebGL.
There is no way to get a serial number or similar.
But if you go on to block some of the stuff you make yourself easier to identify. You go from "some guy with Windows" to that "that guy who blocks this and that and also that other thing".
I think it is much more effective to use Ublock Origin and let it do its thing.
Sincere thanks
Most of those things cannot be collected through JavaScript.
Local time can.
RAM can only be approximated to protect user privacy. Edit: And it’s not available on Firefox.
OS+version are already in your browser’s user-agent string that is sent out with every request you make.
Machine hardware cannot be enumerated. JavaScript can try to guess your GPU based on what it can do with WebGL.
There is no way to get a serial number or similar.
To spoof timezone/OS+version/browser+version ... and disable WebGL, use https://sereneblue.github.io/chameleon/
I guess spoofing will not make me stand out?
Probably will, because your spoofing might not be perfect and have inconsistencies.
Thank you so very much
Can you link to a source that confirms this information can be collected with JavaScript (with browser comparison, ideally)? That seems outrageous if it was actually possible.
Not afaik. You either allow it or not. Doing so selectively would require a lot more knowledge than I have.
As a workaround however, running a VM and using your browser from within that would seem like a decent-ish way to obtain similar results with minimal effort. You can use the hypervisor to set whatever limits you require.