05/20/2020 (Wed) 12:58:02
Unfortunately in the Web, you cannot really trust even a "trusted" site with 3rd party requests blocked in your browser, because the injected JS can still do shit on the site without you knowing about it. Do note also that I said "requests" - you have to block all 3rd party requests with something like RequestPolicy or uMatrix for ffx, or else even legal JS can access some fingerprinting resources which in turn could be hijacked as well.
Also JS enables sites to do much more elaborate fingerprinting of your browser, however I do admit that there are way too few people disabling JS these days, so running sites without a JS is a distinguishable fingerprint by itself.
tags: fingerprinting, DNS rebinding, XSS, HTML injection