this post was submitted on 13 Mar 2026
544 points (99.5% liked)
Linux
12778 readers
917 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Hi, I am here to tell you that it is not particularly trivial to make the kind of changes required to make the websites keep working while also preventing stuff similar to JS fingerprinting.
Some extensions do a decent job in certain cases, but the only ones that completely fix the problem are the ones that simply turn off JS. I checked out what Librewolf's changes do, using amiunique.org and in some tests it even ends up increasing the uniqueness.
You will essentially require identifying different parts of the JS engine that expose said vulnerabilities and then creating mitigations for each of them, with either the "blend in" or "randomise" strategy and will also require to make sure they are not detected over any domain (due to partial overlap of either change).
This kind of change for a single person will require properly understanding the JS engine codebase and then making and maintaining all required patches over the course of the fork as the main project goes forward. This is pretty much a full time job.
Even if multiple people are working on it, one would still require a good understanding of the codebase.
I suggest recruiting one of the retired/laid-off Firefox engineers, if you have the funds.
...why are we talking about JS and fingerprinting?
The application of age indication is just going to be another metric that these companies use for fingerprinting and person identification, one that some analyst on their inside possibly considered a useful data point.
And while this particular API might be an easy one to target, for removal as a patch, it might end up being part of a JS framework that many websites use and will break in case the return value is not available.
So if people require sites to work, this will become just another feature, requiring similar mitigations to other JS features I mentioned, that will need to be handled in a way that it increases the anonymity of the user, lest the user be subjected to harassment.
By "harassment", I mean the actual inescapable kind, not just random internet trolls.
As I said, there's nothing to suggest they would receive such an indicator, as far as I'm aware. The indicator is only required between the app store and the OS.
Facebook has "apps", no?
Last I checked, it had stuff like FarmVille, FrontierVille, etc.
We weren't talking about apps, we were talking about Facebook like buttons on websites.
Causation:
That's not an app store.
Does the Court ask you?
Does the legislature?
Does Meta come to ask what you call an "App Store"?
The legislation clearly states what is and is not an app store. I'd recommend you mull it over.
100% sure they all come in the category of an "App Store" when convenient for the lobbyist.