There's a lot of FUD in this thread. First of all, JavaScript runs inside the browser and can't bypass proxy settings, so it can't "reveal your IP" in the same way as a plugin (Java, Flash). There are ways that JavaScript can deanonymize you, especially when Torbutton states are toggled, but you shouldn't be toggling Torbutton off in the browser bundle these days, and Torbutton blocks this malicious activity anyway. Here's what the Tor Project has to say about it: https://www.torproject.org/torbutton/torbutton-faq.html.en Also, the web sockets bug was fixed a long time ago. https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs https://trac.torproject.org/projects/tor/ticket/5741 The main threat to deanonymization is plugins, especially Flash and Java. Don't use them.