Pirater.dk privacy lab

What can this webpage learn about you?

A local, transparent browser audit. It separates information available without a prompt from information protected by browser permissions or a user-controlled chooser.

Client-side only No analytics No network calls from JavaScript Sensitive tests are opt-in
Your results stay in this tab.

The Content Security Policy blocks JavaScript network connections. Permission prompts are initiated only after you click a clearly labelled test. Do not share an exported report without reviewing it.

Audit overview

Counts update as the browser is inspected and as you run optional tests.

Checking context…
passive data points
permission states checked
current-origin stores found
0optional tests completed

Available without a permission prompt

These values can usually be read when the page loads. Browser privacy features may reduce, round, or omit some values.

Data belonging to this origin

A normal page can inspect storage assigned to its own origin. It cannot use these APIs to enumerate storage belonging to unrelated websites.

Current origin

    

Fingerprinting surfaces

This combines rendering, graphics, audio, language, display, and browser hints into a local demonstration hash. It is not guaranteed to be unique or stable.


    

Permission- and chooser-gated tests

Support varies by browser and operating system. A click may open a browser prompt or system chooser. Access is not attempted automatically.

Precise location Sensitive

May expose latitude, longitude, accuracy, altitude, heading, and speed.


        

Camera and microphone Sensitive

Shows selected track labels, device identifiers, settings, and capabilities, then immediately stops capture.


        

Clipboard Sensitive

Attempts to read current clipboard text after your click. Browsers can still deny the request.


        

Local fonts Fingerprinting

The Local Font Access API can disclose installed font metadata after permission.


        

Files and directories Sensitive

Only files or directories you explicitly select become readable. File previews are capped.


        

Nearby and connected hardware Sensitive

Device choosers may expose names and identifiers for USB, HID, serial, Bluetooth, or MIDI devices.


        

Contacts Sensitive

On supported mobile browsers, a system chooser lets you select which contacts to disclose.


        

Multiple screens Sensitive

May expose connected display labels, dimensions, positions, and whether a screen is internal or primary.


        

Motion and orientation Sensor

On supported devices, a page can receive accelerometer, rotation, compass, and orientation values.


        

Idle state Sensitive

May reveal whether the user and screen are active or idle after permission.


        

Battery Fingerprinting

Some browsers expose charging state, approximate level, and timing estimates without a separate prompt.


        

WebRTC host candidates Network metadata

Collects host ICE candidates without contacting a STUN or TURN server. Modern browsers often replace local IP addresses with mDNS names.


        

Advertising topics Interest data

Where supported and allowed, the Topics API may return coarse interest categories.


        

Important limits for ordinary webpages

Browser extensions, enterprise policies, injected scripts, compromised origins, and installed native applications can have different privileges. This page is intentionally ordinary website JavaScript.

Saved passwords

A webpage cannot enumerate the browser's password manager or extract stored passwords. Autofill is controlled by the browser and user interaction.

Other tabs, history, and bookmarks

A webpage cannot list open tabs, full browsing history, bookmarks, or downloads. It can see limited context such as its own referrer and the current tab's history length.

Arbitrary local files

A webpage cannot crawl the disk. It receives access only to files or directories explicitly selected through a browser or operating-system chooser.

Other-origin storage

Cookies, IndexedDB, Cache Storage, localStorage, and sessionStorage are partitioned or restricted by origin and browser privacy policy.

Public IP and server logs

The web server necessarily receives a network connection and can log the source IP, request headers, timing, and TLS-related metadata. Front-end JavaScript needs a server response or external service to display the public IP; this demo makes no such request.

Complete certainty

No static audit can cover every experimental API, browser extension, policy, or future browser release. Results reflect this browser, this device, this origin, and this moment.

Local session report

The report contains only results currently shown by this page. Exact origin values appear only after the reveal action.