Hmm, so I've been trying to set up a 'safe' email account using Tor. They all require Javascript to be enabled either to sign up for a new account or for an account to actually function. Duh! Doesn't Javascript reveal your real IP address thus negating the whole purpose of using safe email? Am I wrong? Am I missing something? Am I dumb? Answers on a postcard please.
Most likely, you are still safe. However, you might look at using a browsing-only VM that routes all traffic through TOR; this way there is no danger that your real IP might leak.
No, Javascript doesn't do that, by itself anyway. But there have been Javascript bugs that allowed websites to push malware that did that. As Nebulus notes, it's best to work in a VM that can only reach the Internet through Tor. Even if the VM gets hosed, it can't leak the host machine's public IP address. The easiest way to do that is to use Whonix.
Thanks, Nebulus and Mirimir. I'll look into Whonix and see if I feel confident about setting it up without making a hash of it!