
Show HN: What every browser knows about you - Capira
http://webkay.robinlinus.com/
======
MichaelGG
Not sure why battery is exposed; I guess that's the result of making browsers
more like OSes.

The only really annoying thing is the idiotic WebRTC settings. Their love for
"data channels" with zero prompts, despite having no legitimate uses[1],
ignores your proxy settings. This should be fixed.

1: I asked someone involved with WebRTC. They suggested "maybe a page wants to
communicate with your fridge directly" as a serious use of WebRTC data
channels.

~~~
ozim
I am not sure if this battery is not just FUD and some other sections as well.
Because I currently have no battery in my laptop (no battery detected) and
site is saying "Charging: charging", "Battery level: 100%", "Charging time:
0h"

~~~
pmalynin
Works quite well on my phone.

~~~
ozim
Oh so it works on mobile phones then, not laptops.

~~~
elbear
It made a correct reading for my laptop (Macbook).

------
stephenr
So, literally all this said was:

\- "MacIntel"

\- some stuff from my User Agent string (changing it to IE11 made it think I'm
on Windows 8)

\- my public IP, network provider and approx. downstream speed.

I don't use Facebook or Google so I don't know if those things would have
worked.

None of the network scanning worked, it didn't use the geolocation stuff, etc.

If Chrome/Firefox/IE do allow access to all/some of those things without
prompting, jesus titty fucking christ.

All of you claiming "Safari is the new IE6" need to perhaps pay attention.

Google has a vested interest in pushing browser technologies regardless the
cost to privacy or user security - their ChromeOS devices _depend_ on a world
where web apps can do everything.

~~~
mojuba
Same here, it didn't detect some of the things it should have
(theoretically?), e.g. AdBlock plug-in, Twitter & Co., and the EXIF data
wasn't fully exposed. The geo location was wrong by some 70 miles, but that's
a question of a proper geoip database I suppose.

All in all, not very spooky with Safari at least.

~~~
stephenr
I think it's specifically _not_ GeoIP location - that doesn't require a
browser to leak anything as its using your public IP address.

I assume (because mine didn't show anything) that it's relying on the browser
leaking it's device-detected location without prompting?

~~~
mojuba
I don't think it's possible without user's permission, so no it's likely one
of those public GeoIP databases which are usually a bit behind, inaccurate and
incomplete.

~~~
stephenr
Hmm yes, quite odd. The first time I loaded the site, nothing appeared in the
location area, leading me to suspect that it was abusing a prompt-less device
location API.

After your comment I loaded the page again, and sure enough it shows a very
specific, but quite wrong location. Wrong province wrong.

I actually got better GeoIP results than that (down to the local city) on my
old broadband connection. I just tried it now (we moved 2KM and changed ISP,
from DOCSIS to ADSL) and all I get is the country now - possibly because its
dynamic whereas our DOCSIS IP never seemed to change.

So it's kind of creepy on Google's part that they even offer this service, but
the data seems to be so woefully useless that I can't believe anyone would
actually use it.

------
educar
[http://webkay.robinlinus.com/scripts/social-
media.js](http://webkay.robinlinus.com/scripts/social-media.js) that's a cool
trick, thanks for this!

~~~
MacAsm
What is this useful for?

~~~
educar
It helps you figure if a user is signed into a social network. One might think
this is not possible because cross-origin restrictions but this trick shows
you how to bypass it.

~~~
hm8
Could you explain how this works? Er, I mean why only the re-direct to the
favicon works?

~~~
eatsfoobars
The login page will redirect to the favicon if the user is already logged in,
or it will serve a regular HTML page if the user is not.

So, the script creates an (invisible) <img> element for every website which
points to the login page (which might redirect to the favicon). If it receives
an image, the user is already logged in and the onLoad() callback will fire.
Otherwise, it will get an HTML page, so the onError() callback will fire.

It could work with any image on the website, not just the favicon.

~~~
Capira
Though the redirect works only with images hosted on the same domain. The
favicon was the only image I could find on twitter.com or facebook.com.

I reported this bug to every company listed there, but all of them said it is
not relevant to their users' privacy.

~~~
hm8
Yeah, that's a very critical information. Thanks, guys!

------
flexd
This is a perfect example of what an attacker could do with your browser. If
you can get a user's browser to run code, as this site demonstrates there is a
lot of information you can find. And coupled with a Cross-Site Request
Forgery, you could get access to a bunch of things. If your home router has a
vulnerability that bypasses authentication and allows you to execute commands
on the router or similar (which is not uncommon, home router security is
awful), you could get a foothold into the network just by sending someone a
email with links that they are likely to click on.

Note to the author: I am not entirely sure how the WebRTC connection gets you
a local IP, it seems to be connecting to stun:stun.services.mozilla.com.
Anyway,that grabs the wrong local address for me, and gets the IP of my
docker0 interface, perhaps it could grab more IPs, or is it just displaying
the first one it finds?

Edit: Oh, the getIP function just calls the callback on the first candidate it
finds.

------
mjs
The speedtest
[http://webkay.robinlinus.com/scripts/speedtest.js](http://webkay.robinlinus.com/scripts/speedtest.js)
downloads a 5mb file from
[http://www.kenrockwell.com/contax/images/g2/examples/3112003...](http://www.kenrockwell.com/contax/images/g2/examples/31120037-5mb.jpg).

You might want to change that to something on a big company CDN to avoid
killing kenrockwell.com's server.

~~~
Capira
Thanks a lot for the feedback! I changed it to
[https://upload.wikimedia.org/wikipedia/commons/2/2d/Snake_Ri...](https://upload.wikimedia.org/wikipedia/commons/2/2d/Snake_River_%285mb%29.jpg)
for now. Can you suggest a better image?

~~~
anc84
[https://www.google.com/search?q="10M.bin"+speedtest](https://www.google.com/search?q="10M.bin"+speedtest)

------
throwanem
Scanning the visitor's /24 without notice, warning, or opportunity to opt out
is a dick move. Our IDS probably just lit up like a Christmas tree.

~~~
dsl
Yup. I have a honeypot on my home network that hits Twilio when it gets poked
at. So the author at least got my phone to light up.

~~~
ndmrs
That sounds awesome, care to share a few more details?

~~~
dsl
I actually locked myself out except for console access, so some of this is
from memory/Googling:

1\. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless
traffic, so I have it listening/connected to both)

2\. Change iptables default policy to DROP

3\. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I
added an allow rule to talk to another machine that runs a PHP script that
talks to Twilio

4\. Spend about a week adding custom DROP rules for any normal broadcast
traffic on your network (Bonjour, random auto-discovery stuff, etc)

5\. If you have properly excluded everything "normal" you should be able to
run "iptables -vL" about 24 hours apart and the packet count next to the INPUT
chain policy will not have incremented (remember we have a default of DENY)

6\. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG
--log-prefix "ZOMG: " \--log-level 4'

7\. Write a bash script to monitor syslog, parse the log, forward to the
before-mentioned script on another host

~~~
rvdm
Very smart!

Just my 2 cents, but I feel like there might be some commercial demand for
something like this if you'd ever consider packaging it.

------
chrismartin
Someone should make a smartphone app version of this to demonstrate what is
accessible via the app permissions that most people just blindly accept at
install time.

"Here are all the nudie pics on your phone as identified by our nudity
detection algorithm. Here is a list of your probable work and family contacts.
Here is the MMS that you really don't want this app to send on your behalf!"

~~~
stephenr
I'm guessing you're talking about android?

Apps on iOS don't prompt for permissions at install they prompt when they try
to access something, eg photos, contacts, etc

~~~
mkevac
They do that on Android too now.

~~~
nitrogen
Uselessly so; many apps just crash if you deny them permissions. I'm looking
at you, Hue.

~~~
kfriede
I don't blame them. I'd crash if you denied me permission too. /s

------
strooper
I didn't realize that browser would spill my local IP address, or might be
able to scan local devices in the same network. Shouldn't browsers have
settings to enable/disable access to device sensors or data?

~~~
anonymfus
That's the power of WebRTC.

------
golergka
While it hardly surprises any of HN audience, it's a GREAT showcase for a less
technical audience.

I see that you removed automatic network scanning due to a comment here; but
since it's an educational project, I think it would be valuable to add a
comment that explains that a malicious website could get that info without
consent.

~~~
Capira
Done!

------
ryuuchin
I see NoScript being recommended but if you're not using Firefox this isn't an
option. Lukily both uBlock[1] and uMatrix[2] are cross platform and will work
on most (any?) Chromium based browsers as well as Firefox. All instances of
uBlock in this post are referring to uBlock Origin[1].

In addition to NoScript both uBlock[1] and uMatrix[2] can be configured to
block javascript (you can block both 3rd and 1st party javascript with
either). In fact even on Firefox I would recommend trying uMatrix instead of
NoScript because of the interface but my opinion is probably biased since I've
been using it for some time now. You can keep NoScript enabled in this
situation just make sure to whitelist TLD's and allow scripts globally (also
remove the built in whitelist while you're at it).

If you want a simpler solution which offers the best bang for your buck then
using uBlock in medium mode[3] is what I would recommend. This will block 3rd-
party scripts and iframes (globally). Any page breakage that occurs as a
result can be very easily handled by setting a noop for scripts and/or iframes
for that pages scope. You can also block 1st party scripts if you really want
to but it will likely cause a lot more stuff to break. uBlock can also enable
browser settings that will prevent WebRTC leakage under certain circumstances.

On a side note if you're using even just uBlock then that will likely remove
the need for running additional privacy extensions (save ones that deal with
cookies) like Disconnect which also block network requests (you can use the
Disconnect lists from within uBlock). uMatrix does give you the control over
cookies.

[1] [https://github.com/gorhill/uBlock](https://github.com/gorhill/uBlock)

[2] [https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)

[3] [https://github.com/gorhill/uBlock/wiki/Blocking-
mode:-medium...](https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-
mode)

~~~
invisiblep
I switched from easy to medium mode after reading following your advice. How
would you suggest dealing with for instance youtube.com now that no videos
will load?

Btw only hard mode stops any browser details leaking on the test site:
[http://webkay.robinlinus.com/](http://webkay.robinlinus.com/) which is
awesome, but I wonder how much time you have to spend fixing all the sites
that you visit that will be broken in this mode.

Anyone using "hard mode"?

~~~
ryuuchin
The easiest way is to enable 3rd party scripts on youtube. While at youtube
open the uBlock Origin menu and set 3rd party scripts locally to no-op. After
you enable advanced mode the two columns the now appear are for blocking stuff
globally (left side) and locally (right side). Globally blocked stuff (like
when you set up medium mode to block 3rd party scripts and iframes)
automatically gets applied to the smaller scope (local to the site currently
open).

To unblock scripts just turn the 3rd party scripts block to gray which equals
a noop for that. Green is explicitly allow which is what we DON'T want since
we still want filtering from the filter lists to apply. Basically to unbreak
sites you start with setting 3rd party scripts to noop then iframes if that
doesn't fully fix a site. This setup is rather course grained but is the
easiest way to increase security and privacy with the least amount of user
interaction (the most bang for your buck basically).

As you browse with this "medium mode" you'll probably interact less and less
as your dynamic filtering list gets built up. I wouldn't recommend using the
"hard mode" since there's not a lot to gain from it and it will cause a lot
more breakage.

Edit: Also I just noticed this but font blocking is also enabled in the medium
mode screenshots. This isn't part of the described medium mode and the author
of the screenshots likely forgot to turn it off before taking them. However
you're free to try it out if you want but keep in mind it can break the look
and feel of sites. Also it may not actually block the downloading of the font
if you're using Chrome or a Chromium based browser so there's less of a reason
to use it on Chrome.

------
JensRex
Not much of interest showed up for me. Monitor resolution, browser ID, geo
location, OS and public IP.

My main browser, Firefox, has uBlock and Self-Destructing Cookies. Tried it in
both IE11 and Edge (both of which I never use), and I got pretty much the same
result. Firefox and Epiphany on Gentoo Linux also failed to startle me.

I'd like to see a screenshot of a "worst case scenario".

~~~
stephenr
> Not much of interest showed up for me. Monitor resolution, browser ID, geo
> location, OS and public IP.

Are you saying it showed your geo location _without_ having prompted for it,
and that you're OK with that?

~~~
JensRex
I meant whatever DB they use to get location from an IP address.

~~~
stephenr
> I meant whatever DB they use to get location from an IP address.

They aren't using GeoIP lookups. Google runs a service that uses Javascript to
try to provide a more accurate position than GeoIP can.

------
pdkl95
> Geo Coordinates: [lat,lng about 90 miles from the correct location]

I find that error hilarious, because I setup correct in-addr.arpa _and_
ip6.arpa reverse DNS entries for my (static) IP, which returns a domain name
that has an accurate LOC record. My IP is two DNS queries away from my
location (~10m precision), yet most of the time everyone uses these geoip
databases instead of LOC.

~~~
dsl
Because you are literally the only one ever who has done this.

~~~
jsjohnst
You are incorrect. ;)

~~~
f1hybrid
Harsh. He was only off by one.

------
okket
OS X 10.11.4:

Safari 9.1 : Minimal HW/SW detection, No social media leak, No network scan
(after click)

Safari 9.1.1 (Tech Preview) : Minimal HW/SW detection, No social media leak,
No network scan (after click)

Chrome 49.0.2623.110 : Full HW/SW detection, Social media login detected,
Network scanning (after click)

Firefox 45.0.1 : Full HW/SW detection, Social media login detected, Network
scanning (after click)

~~~
yeukhon
Wow. Safari is so strict, but I wonder if that's because Safari is (my
assumption) a less fat browser after all.

~~~
dzhiurgis
And that's why so many sites break with it.

~~~
stephenr
When the parts that break are leaking user hardware and network information,
I'll take the break thanks.

~~~
ATsch
It isn't like there is no legitimate use case for these technologies. It's
just that they are accessible without any supervision.

~~~
stephenr
And I'd rather not have them than accept the glaring security and privacy
issues of having them without user permission.

------
userbinator
This shows just how powerful JavaScript can be --- without it, the site shows
nothing.

...which is not entirely correct, since your user agent, request headers, and
IP are still visible. There's plenty of other sites which will show you those
without requiring any client-side scripting. Here's one just from a quick
Google search:

[http://www.xhaus.com/headers](http://www.xhaus.com/headers)

(Interestingly, you can see GoogleBot's IP and request headers if you view
Google's cached version of the page.)

------
yxlx
I found it interesting that it could read my battery level and discharging
time. As for device orientation, I think I've seen that before but I had
forgotten about it being possible.

~~~
iamandoni
This is a pretty cool browser game that uses device orientation and
websockets:
[https://lightsaber.withgoogle.com](https://lightsaber.withgoogle.com)

~~~
chmike
Why not asking for permission as is the case for location ?

------
alwaysdownvoted
"What _every browser_ ..."

How about text-only browsers?

How about homemade "browsers" that are powered by netcat?

As one informal poll appeared to show, many users questioned on the streets of
an American city did not even know what a "browser" was.

Most times I only want to retrieve files (download) via some daemon running on
some remote computer and then view them on my computer. That includes text,
hypertext, or binary. Pretty much the same as in 1993.

I rarely use a graphical browser to do this. It is not needed.

Instead, today, unlike 1993, I am using a graphical "browser" to _play video_
after I download it (no internet connection). But playing a video file is not
"browsing". Something is not right.

Seems like the www took a wrong turn.

------
freditup
Surprised the website didn't list installed fonts anywhere. Fonts, alongside
with other device details, can be a great way to fingerprint a browser/user.

Edit: Actually, I believe you need Flash or a Java applet to actually get a
list of fonts installed. But you can do other, slow, iterative approaches via
JS.

~~~
burkemw3
With panopticlick, I consider lots of things very able to fingerprint users. I
like that this site says it knows things about you without a previous visit. A
site doesn't need to have seen you before and track you all over the web. A
site can infer things from what is sent the very first time.

Of course, this isn't the first site to remind of us of that, but the
reminders are still good, and interesting to learn about!

------
Cshelton
The social media thing is cool, I didn't know that trick of using the
favicon.ico img under the login of a site to see if the image will load or
not. That's pretty nifty

~~~
yoo1I
Might still need some work though:

Chromium 49. The only place I am logged into is Reddit

> Twitter: logged in > Facebook: logged in > Google Plus: logged in > Reddit:
> logged in > Flickr: logged in

------
m1sta_
The clickjacking is the only one that surprised me. Very unnerving. Need to
read more about it.

~~~
hellofunk
Me too, I don't understand what it is actually; this page doesn't really
explain what it is.

------
msl
For some reason, this worked really badly when I tried it. About the only
things it figured out were that I run Linux on an x86_64 system and use
Firefox. Well, it did get my ISP right, so that pretty much limits my location
to a single country. Even my display resolution was not right. It did find
quite a few devices on my network. All of them non-existent, though.

~~~
Capira
Your browser can not connect with the other devices, unless they run a
webserver. This scanner can just detect if there are any devices.

------
techthroway443
If you try this with your iPhone it activates your gyroscope and says "Your
Device is probably in your Hands."

It knows too much

~~~
greggman
It gets worse

Reading keystrokes from a nearby keyboard using the gyroscope
[http://www.cc.gatech.edu/fac/traynor/papers/traynor-
ccs11.pd...](http://www.cc.gatech.edu/fac/traynor/papers/traynor-ccs11.pdf)

Speech Recognition using the gyroscope
[http://www.wired.co.uk/news/archive/2014-08/15/gyroscope-
lis...](http://www.wired.co.uk/news/archive/2014-08/15/gyroscope-listening-
hack)

Not just a problem with webpages, apps that don't have access to your mic do
have access to your gyroscope

One possible solution is to not allow gyroscope reading above say 20hz without
user permission (for both apps and webpages)

~~~
basicplus2
should not be possible to read any phone sensors without permission!

------
dc2
@Capira since you're so readily fixing things based on comments (awesome),
here's another one.

You write _" To prevent your browser from accessing your Device Orientation
use NoScript."_ under the Network Scan section. Looks like copy / pasta.

~~~
Capira
Thanks for the Feedback! Fixed. ;)

~~~
dc2
Nice, thanks!

Amazing project!

------
dineshp2
After checking out the demo, it was scary to realize that websites can access
an unexpectedly large amount of information about me.

So I installed Tor with the Noscript addon and the demo was not able to access
any details at all. Well it did show my ISP and hardware details, but it was
wrong.

This should be the default setup in a browser, Tor+Noscript.

The issues of constant captcha harassment and slow browsing speed using this
setup need to be addressed. Slow browsing can be addressed by adding more
nodes to route traffic. Regarding the captcha issue though, I am not sure
about a good working solution.

~~~
kobayashi
>This should be the default setup in a browser, Tor+Noscript.

That's just unrealistic for most people, especially the TOR recommendation.
Script blockers are troublesome even for tech savvy individuals, though I
highly recommend blocking scripts for anyone who can "handle it". Gorhill's
work (via uBlock Origin) provides a much more realistic way of disabling these
kinds of malicious and/or invasive actions. Not sure if they're currently
blocked, but he's made strides to block crapware and its kin, so this might
not be so far off.

------
wnevets
GPU: Vendor: Google Inc.

~~~
CaptSpify
I got:

GPU: Vendor: Mozilla

------
wicket
I didn't like that it was able to obtain my battery information. I discovered
that this can be prevented in Firefox by setting dom.battery.enabled to
"false" under about:config.

~~~
JoBrad
Is that on a mobile or desktop browser? It didn't have any info about my
battery (iPhone 6)

~~~
wicket
Desktop Firefox. Not all browsers expose battery information[1]. Of course
Firefox for iOS isn't really Firefox.

[1] [https://developer.mozilla.org/en-
US/docs/Web/API/Navigator/b...](https://developer.mozilla.org/en-
US/docs/Web/API/Navigator/battery#Browser_compatibility)

------
rvdm
Some interesting things could happen if you where to start collecting every
user's visit with a timestamp.

For example, ip address + timestamp + even a rough geo ip location could
reveal travel patterns of users simply visiting your site.

Let's say those travel patterns include visits to nations less friendly to the
US and you just might find out some details about someone ( or at least a
certain IP ) they really wouldn't want you to know.

All you need is a web server and a little bit of javascript.

------
Bahamut
I'm not quite sure what this is meant to prove - all of what was revealed for
me seems tame. Is it meant to scare users to disable JS?

~~~
mirimir
Yes. And WebGL, and WebRTC.

------
tomyws
Interestingly after visiting this page the default language on the Google
Accounts sign-in had been changed to German.

------
tacone
The network scanning thing is both scaring and revealing. I never thought
about that, thanks!

------
techload
While visiting this page it tryed to open my router's admin panel. Anyone see
this too?

~~~
chatmasta
There is literally a "network scan" section of the page that informs you it's
scanning devices in your local network.

That's why you see webrtc requests to internal IP addresses. I do not see any
requests to the router admin panel, and in fact it looks like the code
specifically avoids sending a webRTC request to the gateway IP (x.y.z.1)

~~~
techload
[http://imgur.com/YX6ig66](http://imgur.com/YX6ig66)

------
_RPM
I am a hacker. How the hell does it know my local IP? Via WebRTC I presume?

~~~
MacAsm
Yes.

------
dustinlakin
Thanks for the nice demonstration. Looks like the speed test is running of a
very random source image that might not be yours. If it isn't, you might want
to look at hosting your own image for it.

------
AdmiralAsshat
I visited the page once on my Android using my HN app's built-in webkit
browser, where it displayed some interesting stats like the location, the
battery level, ISP, etc.

I opened the same link in Firefox Android with uBlock Origin installed, and
got no hardware stats other than the kernel, no software stats, and no IP.

My takeaway from this is to NEVER use an app that uses Webkit.

I'm not sure if that was the intended purpose, but thanks for the eye-opener
anyway!

~~~
bcook
My takeaway would've been; use some sort of protection, like NoScript, uBlock,
etc. The choice of web-browser engine seems less important when you globally
allow javascript or other similar capabilities.

~~~
AdmiralAsshat
This is true, but on Android this is not possible on Chrome or the default
webkit browser, as Google doesn't allow extensions. So my point still stands.

------
burkemw3
I would be interested in reading about how all of these are detected.

I know how some of them are, but not all. I predict others are in this boat,
and interested in learning!

~~~
ageofwant
Look at the code (you know where to get that right :-)), its split into scrips
for each of the tests.

------
ancarda
> To prevent your browser from leaking information about your software use
> NoScript.

Surely you can source this information (OS and browser) from the User Agent?

------
sudojudo
Between NoScript and Random Agent Spoofer, nothing is correct except my
resolution and a couple of plug-ins (like Flash and VLC).

Shutting NoScript off doesn't make too much difference, and I don't think RAS
does _that_ much (some sites seem to see through it), so it must be one of the
other addons (uBlock Origin, Disconnect, BetterPrivacy, HTTPS Everywhere).

~~~
chatmasta
Ironically, not using those plugins is a fingerprint in and of itself.

------
butz
And what are methods to prevent browser from leaking all this information? I
presume browsing in private mode is not a solution.

~~~
pdkl95
Shut off javascript.

Yes, this will reveal sites that serve broken pages that require javascript to
render usually static content (skipping progressive enhancement is lazy and
unprofessional). Are those sites worth the expense of everyone learning more
fingerprintable data about your and your browser?

The WebRTC scan that others are complaining about is another good reason to
shut off javascript. Are other sites doing similar scans, perhaps in a less
obvious way? It is _insane_ that random pages even have that ability; it's a
huge attack surface that is mostly unknown and unexplored.

> private mode

That's mostly about not leaving data trails on the local device (hence the
"porn mode" nickname).

~~~
adrr
It breaks all the single page apps. Javascript isn't the problem. Its browsers
features like canvas, webrtc, etc.

~~~
pdkl95
> (skipping progressive enhancement is lazy and unprofessional)

Single page apps are definitely in the "lazy" category. If you send a page
without content, that page is _broken_. You should be prioritizing the safety
of your readers.

If developing proper pages is difficult with your develop0ment tools or
methods, then you should find a different method - ideally something that
handles the _progressive enhancement_ for you.

------
unclebucknasty
Something about visiting the page seems to knock my Android phone off of
Verizon's data network for a short period.

------
merpnderp
Holy crap, I'm glad I have noscript running and only allow the minimal JS I
need to run on pages I somewhat trust.

~~~
redtuesday
Yes, it's the first addon I install on a new browser. Can't recommend it
enough.

------
known
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

------
chmike
This inspired me the idea of creating a NoScript label for web sites that
don't use javascript. It could be an information passed in the page header as
a specification (contract). I have a few web sites without javascript.

Is NoScript supported by iOS safari ?

~~~
ldjb
I assume you're talking about the <noscript> element (as opposed to something
to do with the browser extension with a similar name)?

In which case, it is definitely worth making websites as usable as possible
without JavaScript. <noscript> is supported by pretty much all web browsers,
including iOS Safari.

Even if your website relies heavily on JavaScript, it is still a good idea to
let non-JavaScript users know via a <noscript> element that JavaScript is
required, instead of having the page look like a broken mess (or a blank
screen).

Do also keep in mind that search engines (generally) do not run JavaScript, so
if you want page content to be indexed, it has to be present on the page as it
is rendered without JavaScript. <noscript> may help achieve that.

~~~
userbinator
Seeing all the "This site requires JavaScript, please turn on JavaScript and
refresh the page" messages I get makes me think of putting all your content in
<noscript>s, and then adding a script that writes "For your privacy and
security, this site requires that your browser not run JavaScript. Please
disable JavaScript and refresh the page." followed by links to sites
explaining the bad side of JS-on-by-default and how to turn it off with things
like NoScript.

Maybe it'll take off and people will understand, maybe not. But it's something
worth pondering.

------
ahrs
Safari on iOS doesn't leak anything out of the ordinary for me. The
geolocation was way off, identifying my iPhone as being in London (likely due
to me accessing the page over a mobile data connection).

~~~
Capira
Right, the Google Geolocation API is very inaccurate on mobile data
connection.

------
m_eiman
You should also be able to detect Retina/normal DPI, in addition to the
reported resolution. A bit of "responsive" CSS and checking what was selected
using JS should be enough?

------
pnathan
Heh, the facebook like detection thing failed utterly. Not sure how, or why.
But, I am not even logged into facebook on this computer - and never have
been. :-)

But a very cool hack.

~~~
Capira
Thanks for the feedback! Should be fixed now.

------
graeme
Is there a noscript equivalent for other browsers apart from firefox? Most of
the recommendations were "noscript". And I had a lot of info leaking.

~~~
XzetaU8
The closest and similar to noscript i can think of is "uMatrix"

------
hyperion2010
Well, back to using noscript again since browsers are creeping closer and
closer to arbitrary code execution platforms.

------
phyalow
Guess im adding ScriptSafe to my list of Chrome plugins (Adblock, Ghostery,
HTTPS everywhere, Random Agent Spoofer),

------
JonMuzy
Great project, actually seeing some pretty interesting stuff I didn't know was
available. Thanks for this

------
taf2
Got my location wrong by about 50 miles

~~~
rvdm
If I remember correctly, geoIP traces get your location accurate to your
nearest neighborhood Fios box ( or similar ). In cities there's usually one
for every few blocks.

------
mcintyre1994
I'm impressed that Safari on iOS apparently doesn't leak image metadata when
you upload.

------
Johnny_Brahms
So, the network scan gives me about 40 extra devices in my network. Should I
be worried?

------
pmar3003
I guess I'll stick to Opera 12 since it does so much better than firefox.

------
cerebralcow
Aren't you missing details about the screen resolution and ppi?

------
ppod
I had no idea this laptop had a GPU! Thanks!

------
SixSigma
glad to see that I leaked precisely zero of those.

Thanks NoScript

------
guyvkn
Vvv

------
justinlardinois
> Your Device is propably laying on a Table

I'm one of those heathens that actually puts the desktop tower on top of the
desk. Got me.

~~~
nommm-nommm
Your desktop has a gyroscope?

~~~
justinlardinois
No, and the website reported as such. I guess if you have no
motion/orientation sensors of any kind it just guesses it's on a table.

~~~
Capira
Sorry for the confusion. Don't take this interpretation too serious. It just
for fun ;)

------
necessity
Ok, so it doesn't know anything but my OS and screen resolution. Seems good to
me, considering I'm not using NoScript and the like.

