Precise location Sensitive
May expose latitude, longitude, accuracy, altitude, heading, and speed.
Pirater.dk privacy lab
A local, transparent browser audit. It separates information available without a prompt from information protected by browser permissions or a user-controlled chooser.
The Content Security Policy blocks JavaScript network connections. Permission prompts are initiated only after you click a clearly labelled test. Do not share an exported report without reviewing it.
Counts update as the browser is inspected and as you run optional tests.
These values can usually be read when the page loads. Browser privacy features may reduce, round, or omit some values.
A normal page can inspect storage assigned to its own origin. It cannot use these APIs to enumerate storage belonging to unrelated websites.
This combines rendering, graphics, audio, language, display, and browser hints into a local demonstration hash. It is not guaranteed to be unique or stable.
Support varies by browser and operating system. A click may open a browser prompt or system chooser. Access is not attempted automatically.
May expose latitude, longitude, accuracy, altitude, heading, and speed.
Shows selected track labels, device identifiers, settings, and capabilities, then immediately stops capture.
Attempts to read current clipboard text after your click. Browsers can still deny the request.
The Local Font Access API can disclose installed font metadata after permission.
Only files or directories you explicitly select become readable. File previews are capped.
Device choosers may expose names and identifiers for USB, HID, serial, Bluetooth, or MIDI devices.
On supported mobile browsers, a system chooser lets you select which contacts to disclose.
May expose connected display labels, dimensions, positions, and whether a screen is internal or primary.
On supported devices, a page can receive accelerometer, rotation, compass, and orientation values.
May reveal whether the user and screen are active or idle after permission.
Some browsers expose charging state, approximate level, and timing estimates without a separate prompt.
Collects host ICE candidates without contacting a STUN or TURN server. Modern browsers often replace local IP addresses with mDNS names.
Where supported and allowed, the Topics API may return coarse interest categories.
Browser extensions, enterprise policies, injected scripts, compromised origins, and installed native applications can have different privileges. This page is intentionally ordinary website JavaScript.
A webpage cannot enumerate the browser's password manager or extract stored passwords. Autofill is controlled by the browser and user interaction.
A webpage cannot list open tabs, full browsing history, bookmarks, or downloads. It can see limited context such as its own referrer and the current tab's history length.
A webpage cannot crawl the disk. It receives access only to files or directories explicitly selected through a browser or operating-system chooser.
Cookies, IndexedDB, Cache Storage, localStorage, and sessionStorage are partitioned or restricted by origin and browser privacy policy.
The web server necessarily receives a network connection and can log the source IP, request headers, timing, and TLS-related metadata. Front-end JavaScript needs a server response or external service to display the public IP; this demo makes no such request.
No static audit can cover every experimental API, browser extension, policy, or future browser release. Results reflect this browser, this device, this origin, and this moment.
The report contains only results currently shown by this page. Exact origin values appear only after the reveal action.