Tor Browser: Could a website or ISP detect modification to DOM done by users if Javascript is disabled?

I have Tor Browser (which is basically Firefox ESR) on "Safest" setting (Javascript disabled). We’re generally scolded about using extensions in it, as they can alter web traffic patterns to or from your browser, adding another fingerprinting vector by distinguishing you from other Tor Browser users.

If JS is turned off even in vanilla Firefox, and I apply modifications to the DOM (like CSS mods, zooming in etc.) after the website has finished loading, I can’t see how a website or ISP could detect what the user is doing in the DOM.

I know if you, for example, hide an element in CSS before it is fully loaded (such as the sidebar), the browser may skip downloading resources (such as icons) associated with the element. This would distinguish your web traffic patterns from other users. That’s why I wait till the page is fully loaded. I’m also careful to not trigger CSS media queries which can be set up to connect to a remote URL if triggered (or remove them first if they will be triggered).

I think the above should be enough to avoid distinguishing myself by my web traffic. Do you see any way I could be distinguished with only CSS & HTML?

Why does Chrome not allow the modification of these headers by extensions?

The Chrome WebRequests API mentions that specific request headers are not available to the onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:

The following headers are currently not provided to the onBeforeSendHeaders event. This list is not guaranteed to be complete nor stable.

  • Authorization
  • Cache-Control
  • Connection
  • Content-Length
  • Host
  • If-Modified-Since
  • If-None-Match
  • If-Range
  • Partial-Data
  • Pragma
  • Proxy-Authorization
  • Proxy-Connection
  • Transfer-Encoding

Is there a security reason to disable extensions from reading or writing these? How could an extension act malicious if it could read/write these values?

Clarification: I am aware why read access to some of these is a bad idea, most prominently any header featuring authentication data. However, other headers such as Host, Connection or Content-Length are a complete enigma to me.

Furthermore, it’s unclear to me why some of these headers are completely inaccessible to extensions, instead of allowing setting a value or appending a value, even if read access is not granted.

Are there security reasons for prohibiting universal mac address modification?


In a standard 48-bit MAC address, the 7th (most significant) bit specifies whether it is a universally-administered address (UAA) or a locally-administered address (LAA).

If it is 0, then the MAC address is a UAA and the first 24-bits are the organizationally-unique identifier (OUI) of the manufacturer of the network interface card (NIC).

If it is 1, then the MAC address is just an LAA.


Many drivers and NIC’s often allow users to modify the MAC address of their device.

But, it seems Windows does not allow modifying mac addresses to universal ones (i.e., UAA’s):

What is the reason for this restriction? Are there security implications if this was not the case? Or, perhaps, is this merely just to prevent someone from spoofing a device as some legitimate company’s network communications product? (to their ISP)

Are there official guidelines on 5e feat creation or modification?

The DMG has a wealth of information on creating or customising monsters, spells, magic items, races, classes, and backgrounds. It seems to have no information whatsoever about feats.

I’ve done some digging, but can’t seem to find any real information about how to properly go about making homebrew feats for 5e.

I’ve read Mike Mearls’ advice in the UA release of feats, and while it’s useful information, it’s all pretty broad advice, with none of the depth or mechanical insights of the DMG content.

Is there a source where I can find information like this?

make modification of add_to_cart button specific to single page

I am using woocomemrce for the ecommerce part of my wordpress site.

When using the add_to_cart button i want it to say “read more” on a specific webpage only. So far i have found the code to change the button text:

add_filter('woocommerce_product_single_add_to_cart_text', 'woo_custom_cart_button_text');  function woo_custom_cart_button_text() { return__('Read More','woocommerce'); } 

The question is, how do I make this apply to the appearance of the add_to_cart button on a single page of my website? The page is not a shop page. It is a normal webpage where is have description of products and the associated treatment. The button is there to take them to the product page.

Thank you

Theoretical question about Zobrist hashing and chances of collision with slight modification

I’m using zobrist hashing, but for certain positions I want to put them in the cache but make them unique. This is what I’m doing:

quint64 hash = position.zobristHash(); if (makeItUnique)     hash ^= reinterpret_cast<quint64>(this); 

Is there any reason to suppose that what I’m doing will increase the likelihood of hash collisions?

Can the Dual-Balanced weapon modification be applied to double weapons?

The Dual-Balanced weapon mod description says,

Price +2,000 gp; Weight —

Dual-balanced weapons are balanced to be wielded in tandem.

Only melee weapons can be dual-balanced. When wielding two weapons with the dual-balanced modification, reduce any two-weapon fighting penalties by 1 for both weapons. The weapons do not need to be the same type, but both must have the dual-balanced modification.

Can I apply this mod to double weapons, such as a staff? I suspect there may be a problem with it RAW—if so, would it cause problems to allow it?

Can I wield a Saw-tooth Sabre with my tail as a Ratfolk using the Versatile Design weapon modification while being a Red Mantis Assassin?

I started playing a Rogue Ratfolk and have brought myself to the RMA prestige class. I used to wield a ratfolk Tailblade to maximise sneak potential, but it didn’t work out because the attacks kept missing so I abandoned this idea. However after a year of playing I suddenly discovered weapon modifications from Advanced Armory.

The Versatile Design feature says that weapons with such a mod can be treated as a different weapon fighting group with the limitation of converting melee weapons to range (which does not matter in this case). Although, it can be changed to the Natural weapon group, which contains ‘tail’ I suppose.

I can apply Weapon Adept and Exotic Weapon proficiency granted by the feats I already have. Moreover, I would also apply Weapon Focus, Greater Weapon Focus, Weapon Specialization and Greater Weapon Specialization granted by the Red Mantis Assassin class.

I have Amulet of the mighty fists with Agile enchantment as well, so applying Dex to attack rolls with natural weapons is not a problem.

So now I’d really like to return to idea of three-weapon fighting but I’m having a sort of confrontation about whether I can make this combination with my GM.

Would having Versatile Design on a Sawtooth Sabre allow me to wield it on my tail, therefore having my tail weapon benefit from all the feats granted by the Red Mantis Assassin?

Is this modification of the Vicious Mockery cantrip overpowered?

New DM here. One of my players wants to be able to cast vicious mockery without doing damage (because his character became a pacifist after death and resurrection). I’m considering allowing him to cast it with a bonus-action casting time in exchange for the damage.

The only changes to the spell would be to its casting time (1 bonus action, instead of 1 action), and to its effect (it no longer does damage but still imposes disadvantage):

Choose a target you can see. If it can hear you, it must succeed on a Wisdom saving throw or have disadvantage on the next attack roll it makes before the end of its next turn.

Would this be overpowered?