If you use Firefox or Iceweasel, you can disable most of those apis in about:config or user.js. For example, media.peerconnection.enabled = false, to disable WebRTC. dom.battery.enabled = false for battery, etc.

Yeah, but one may want to enable those on per-site basis. So you get both the fancy stuff (with a sites you trust) and no tracking material for the rest.

Or you could use the privacy settings addon, which adds a toolbar button to enable/disable most of those settings.

While that works, it's reset whenever you clear your history and data completely. Isn't there a way to whitelist this in user.js permanently?

This would make absolute sense. Certain requests (like location) already trigger popups that ask you for permission. If it turns out other APIs can be equally revealing as far as privacy goes, it would make sense to present the same popup.

I mean, using a web app for the first time would be no different then installing a mobile app - I wouldn't be surprised if I had to give it a few permissions.

I was thinking the same thing. We need a permission system for websites. Preferably useable on a per-domain basis so I can disable those APIs on adnetworks' domains.

The (currently embryonic) Permissions API [1] looks like it's aimed at precisely this use case.

[1] https://developer.mozilla.org/en-US/docs/Web/API/Permissions...

Thats what made Opera up to 12.xx great. “Edit site preferences…” menu let you tweak EVERY SINGLE option per domain.

If you disable a unique combination of APIs that combination becomes your fingerprint.

True, but the number of APIs is relatively small while having them enabled can allow for a much richer set of values, far more useful for fingerprinting.

Not if a large number of people all disable the same APIs

By disabling specific APIs, you would make your browser even more identifiable.

It would only work if many users have disabled exactly the same APIs as you and all other non-disabled APIs don't provide any information useful for fingerprinting.

So, disable the same APIs as the TOR browser does.

Just like disabling is is identifying. It's less about identity and more about control.

If I could just feed it random data instead of fully disabling, that would also be fine.

It's kind of surprising that there isn't an extension to provide this functionality (at least in desktop browsers). All you'd have to do is monkey patch the methods that get called and throw up a confirm("are you sure you want to allow [X]")

Well, I just created a small POC:

http://plnkr.co/edit/hKvPpEZQGCSkCNKly5Z3?p=preview

It would need to remember your choice so you don't get prompted everytime, but that's a small/easy change to make.

I don't know of any. I would think it would be fairly easy to create a userscript or extension to stub built-in APIs (maybe using something like testdouble.js or sinon.js to override the default global objects that you are trying to "disable"). I'm not sure what issues you'd run into on various pages if you did that though (so it'd probably need a lot of iteration- and fixing bug reports).

It might be a fun project to start though. I've been really enjoying testdouble's API (and have started using that for my unit tests).