Fingerprinting requires sending information back to the mothership. If we got javascript that was sandboxed from making web requests, then it could have access to whatever private data it wanted without entailing a privacy risk.

The web has so many vectors for exfiltrating data that it seems hard to come up with a js sandbox that is both useful and cannot leak data. Any DOM write access whatsoever allows you to do things like update link targets to include the private data or manipulate the DOM in ways that can be read by unsandboxed script. Even wothout considering timing attacks I'm unconvinced that there's a way forward that involves trying to separate js with permission to read system state from the network.

If these things were declared in just css and not JS accessible, things would be better, as they were before.

JS has got too much access to too much information.

All styling declared and don't let JS interrogate style info from the DOM

It's unlikely that anyone would try to prevent leaking something like browser window sizing, as there are so many ways to infer it. You can likely figure out window size even with static content by embedding some image pixels and examining the timing of get requests for them.

> for things like figuring out the canvas size for responsive designs?

Since sites that use responsive designs are a constant pain in my side, if they stopped working then I'd personally be a little happier with the web.

If you read the Google thing, there’s a proposal for doing exactly that with a privacy budget. The browser would allow access to information until it becomes too specific to a user and then cut it off.

It’s not a perfect solution, but a less granular (avoiding the pun) return value could make the API less useful for fingerprinting but still useful for responsive design layout.

There’s no reason to use JavaScript for responsive designs. Devs that do it are lazy and sites that do it I’m happy to click away from.

That's great for the 1% of people who know how to use that, but what about for the general public. When I make a website I'd like the responsive parts to keep working.

Reader mode by default.

I really hope this never happens.

Why? Because I have reader mode turned on by default and haven’t looked back since over a year ago, and I can’t imagine the web without it any more. It’s the only thing that makes the web tolerable, no matter how many ad blockers I install.

If everyone else used it too, websites would become wise and start blocking it somehow.

Oh, wait, I mean, reader mode is terrible and nobody should use it!

What browser, and how?

Safari on Mac (and iOS), In the Safari settings under Websites, Reader, you can set "Other Websites" to "On", and it's on by default except websites you turn off (which you can do from the reader button on the left part of the address bar.)

You really only need some small JS fragments. Whitelist the hashes (heck bundle them with the browser), run nothing else. The JS does not need to know the canvis size, the browser (the user) can decide. Executing arb programs is poor design.