Browser-laptop: fingerprinting protection should be done in C++ instead of js content script

Created on 20 Nov 2017  路  12Comments  路  Source: brave/browser-laptop

follow-up to https://github.com/brave/browser-laptop/pull/11784

as @snyderp showed above, blocking DOM methods in a JS content script is a flawed approach because there are sneaky ways to get references to the methods. it would be better to disable the DOM methods in chromium/muon.

the basic functionality in app/extensions/brave/content/scripts/blockCanvasFingerprinting.js should be migrated into Muon. basically if fingerprinting protection is enabled, then:

  1. detect when a blacklisted DOM method/object is invoked
  2. send a message to the browser reporting what was blocked (and preferably the origin of the script that invoked it)
  3. replace the blacklisted DOM method/object with a proxy that yields itself or simply block it

cc @bridiver

featurshields fixed-with-brave-core misfingerprinting prioritP3 security
Source
picture diracdeltas

All 12 comments

That how it is done on Android browser in C++. I think we can use most on it https://github.com/brave/browser-android-tabs/commit/c6fdea38de6f818346109e82c23308acb93cee01

SergeyZhukovsky picture SergeyZhukovsky on 21 Nov 2017
👍1

Its also how the Tor folks do their Canvas fingerprint blocking (which, last I checked, is "prompt user with permission dialog whenever toDataUrl is called").

I have more experience with the Tor/Mozilla codebase at the moment, but I think it should not be too difficult to get something similar pushed into chromium/muon. I don't know where this is on the timeline for you all, but happy to help if outside help would be welcome

pes10k picture pes10k on 21 Nov 2017

If there are gaps in WebExtensions APIs, situations where extensions are unable to guarantee before-anything-else execution (such as parent frames being able to access child frames before child frame content scripts had a chance to do their thing), I think these are browser bugs to be fixed. If this is what it is, we should file crbug and/or Bugzilla@Mozilla issues.

ghostwords picture ghostwords on 7 Dec 2017

I agree completely. I'll open issues with both teams in the next 24 hours and post links here to follow up.

pes10k picture pes10k on 7 Dec 2017

Bugs below:

Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1424176
Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=793217

pes10k picture pes10k on 8 Dec 2017
👍1

assigning to @jumde for now

diracdeltas picture diracdeltas on 21 Dec 2017

the fix for this issue would also fix https://github.com/brave/browser-laptop/issues/12110 and https://github.com/brave/browser-laptop/issues/11683

diracdeltas picture diracdeltas on 21 Dec 2017

Moving to 0.21.x

bsclifton picture bsclifton on 29 Dec 2017

@diracdeltas is this release blocking?

alexwykoff picture alexwykoff on 20 Feb 2018

non-blocking, it can be moved to one release later

diracdeltas picture diracdeltas on 20 Feb 2018
👍1

Closing in favor of https://github.com/brave/brave-browser/issues/1017

bsclifton picture bsclifton on 7 Sep 2018

Confirmed fixed with brave-core 馃槃

bsclifton picture bsclifton on 7 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bbondy picture bbondy  路  3Comments
jonathansampson picture jonathansampson  路  3Comments
bsclifton picture bsclifton  路  3Comments
stevespringett picture stevespringett  路  3Comments
eljuno picture eljuno  路  3Comments