Fingerprinting is a problem, and it's difficult to address. There's been some discussion around mechanisms for disabling features to make the browser signature less unique, but it's a very tough problem.

Take a look at https://trac.webkit.org/wiki/Fingerprinting for some discussion around what would be required. It's very, very nontrivial.

otoh, you need a browser signature if you want to avoid CSRF attacks.

No, to reliably protect your application from cross site request forgery attacks you usually use auth tokens in the request.

So even if there might be a browser-signature based solution for CSRF protection, there is a very solid alternative, which I think is the best practice anyway.

Enabling click to play for plugins in Chrome is already possible and makes you much less trackable. You will get much less bits of identifying information in panopticlick because your fonts and some other things can't be read out without Flash or Java.

IIRC click-to-play doesn't prevent detection of the plugin; it just prevents it from initializing. And you should also be able to get at fonts by using CSS, SVG, or canvas just to name a few.

As for the larger question, I really don't think there's any way of preventing sites from uniquely fingerprinting a given browser installation. There are just so many places where fingerprints leak through (and the behavior is relied on) that I'd expect it would take a massive overhaul of the web as we know it. Although, I'm a security guy not a privacy guy, so maybe I'm just too pessimistic.

Whoops, I have to take back what I wrote above.

Somehow my Chrome had lost its click-to-play setting. I don't remember unsetting that... hrm.

Anyway, with click-to-play enabled you are correct: Panopticlick cannot see my fonts. Sorry about the confusion.

However, with click-to-play definitely enabled, Panopticlick can still see my Browser Plugin Details.