User.js: Why anti ETag fingerprinting browser extensions won't work if I block images using other addons, like uBlock or uMatrix?

Do these addons work by preventing first-party image ETags or third-party as well?

Is third party ETags even something?

Is it a CSP problem?

That test site is wonky and kinda flawed (not going to get into it): the addon works, the script should: use

click here and read the bit that says ETag

1. etags are stored in the cache. If you clear the cache during testing you'll never be able to test if an etag-related extension works or not.
2. that test site kinda cheats in a way, in that if you don't send an etag it creates one based on your IP and User-Agent. It then stores the number of visits and any message you enter in a file named after "your" etag on the server (for 24h I believe). So as long as your IP and User-Agent doesn't change, and you don't send an etag, it'll just re-create a new etag every time (based on your IP and User-Agent!), see that a file for that etag already exists on the server and is thus able to show you your last message. The same happens if you block the image with uMatrix because the site will never be able to set an Etag.

So, to test with that site you either have to change your IP or User-Agent (and not block the image!):

1. clear the cache and disable any etag related extension
2. use an extension to change the UA for that site to something bogus to make sure it won't fallback to an existing file on the server from a previous visit (or from someone else if you use a shared IP like fe a VPN)
3. visit the site and store a message
4. change the UA to another bogus string
5. reload the page and it should be able to detect your previous message because you're now sending an identifying etag.
6. enable the etag extension and reload the page again. If the extension works the page should no longer be able to identify you.

@earthlng

So, to test with that site you either have to change your IP or User-Agent (and not block the image!)

The reason I blocked images globally is because I feared image tracking, so I'd activate images only when necessary.

Maybe this increases entropy and I'm acting stupid. Right?

Furthermore, I've tried mr. Pants suggestion website, as well. It won't track me, only on these circunstances:

1. ETag Stoppa enabled;
2. ETag Stoppa disabled + uBlock & uMatrix enabled.

If I would go and try 2nd case: website would show I am not being tracked (sometimes it shows that I'm, somehow).

• In the case of ETag Stoppa:
  
  
  
  • I know it's because the addon is doing what is supposed to do;
  
  
• In the case of uBlock and uMatrix:
  
  
  
  • I have no idea what they are doing to cause negative results;
  
  
  • I think they might be causing _false negative_ results.
  
  

You see: my fear is not that Stoppa is not doing its job...

It's if other extensions are disrupting it or producing _false negative_ results.

In the case of _false negatives_ are not real: wouldn't it be better to just not install Stoppa and just have uMatrix + uBlock?

Maybe this increases entropy and I'm acting stupid. Right?

IDK. It's definitely detectable but I doubt anyone's looking at that in their logs, but I could be wrong.
Personally I allow 1st party CSS and images by default and then allow more where necessary:

* * * block
* * css block
* * image block
* 1st-party css allow
* 1st-party image allow

Pants' suggested website doesn't work for me either. Not sure why. It looks like the etag is on the SVG but for some reason my FF doesn't re-request that image when I click the refresh button on that page. It always says 0 visits and displays a new etag.
IDK if that's an SVG-specific issue or WTH is going on.
AFAIK uBO has some kind of cache-busting included to make sure things are always blocked correctly. IDK if that has something to do with it.

I don't use an ETag specific extension because FPI and Temporary Containers combined are IMO enough to stop any meaningful cache-related tracking attempts. The Temporary Containers self-destruct after closing the last tab of a particular domain and additionally I clear the cache on shutdown just for good measure.

It's definitely detectable but I doubt anyone's looking at that in their logs, but I could be wrong.

That's if you block JS! With JS enabled it's easily detectable and could be used to FP or track you. But since barely anyone blocks images by default, I don't think anyone's using an onerror listener on images or similar for tracking purposes.

Pants' suggested website doesn't work for me either

Both sites worked for me, and for @claustromaniac (at least they did about a year ago when I showed him the second site that wasn't as "wonky" - that lucible causes people confusion: even we had a time working it out)

re-opening to sort it out. will test when I get round to it

works for me: https://privacycheck.sec.lrz.de/passive/fp_etag/fp_etag.php

• visit one: I was unique, 0 visits, assigned an ID
• close tab, new tab, visit two: same story
• click refresh the page (so visit three): same story

I'm always unique

that doesn't necessarily mean the site is working. I was trying my best to be non-unique but couldn't.
I've cache enabled, disabled uBO + uM, no etag specific extension; still wasn't able to make it count my visits. Can you?

works for me: https://privacycheck.sec.lrz.de/passive/fp_etag/fp_etag.php

Or Firefox made some changes or this site doesn't work even on a vanilla profile.
But it does work on a Edge Chromium.

that doesn't necessarily mean the site is working. I was trying my best to be non-unique but couldn't.
I've cache enabled, disabled uBO + uM, no etag specific extension; still wasn't able to make it count my visits. Can you?

True. I forgot about doing a control test. In a (practically) vanilla profile

• cleared all data (ctrl-shift-del)
• visit one: I was unique, 0 visits, assigned an ID
• close tab, new tab, visit two: i visit, same ID
• click refresh the page (so visit three?): <-- NEW ID .. I think this is actually a "reset" function

cleared everything

• visit one: unique, 0 visits
• closed browser (I am not clearing anything on close)
• visit two: not unique, 1 visit
• closed browser (I am not clearing anything on close)
• visit three: not unique, 2 visits

then

• close tab, new tab
• visit four: unique, 0 visits

IDFK

If you want to test it's working then inspect the headers

I tested on a brand new default profile and it can't track me, at all.

• no addons;
• no custom user scripts.

Do you think it has something to do with this FF build being the default installed on Fedora 32?

with uMatrix (1st party green):
https://privacycheck.sec.lrz.de/passive/fp_etag/fp_etag.php
\^ - Always unique for me
https://lucb1e.com/rp/cookielesscookies/
\^ - works as expected

I confirmed this behavior on Vivaldi(Chromium) and Firefox - it is the same for both browsers.
???
I think first one is broken.

Hi

It appears from the content of this thread that the author assumes that Etag is part of the downloaded images, but this is a mistake.
Etag is part of the HTTP header, and it's so nasty that it works regardless of anything, neither cookies nor even javascript. You just need to download even plain HTML / TXT document.
My tests showed that the ClearURLs add-on cleans Etag well:
https://addons.mozilla.org/pl/firefox/addon/clearurls/
Maybe I helped someone.

hey can i ask something about ETag ? i have been using clearurl with the etag option on since years, but i think i can disable etag filtering in clearurl as i'm using Temporary Containers (auto mode), FPI and ram cache only, right?

I don't use TC so I'm not sure what auto-mode is. FPI isolates cache, so we're really only taking about repeat visits to a first party per session. If auto-mode means siteA visit-1 is isolated from siteA visit2, then yeah, you can probably disable it. Note though, that if you're not changing circuits/exit-nodes/ip-address in that session then it's probably a moot point (assuming they are linkifying by IP). But it can't hurt to wipe ETags, but on the other hand, I don't think too many parties would track this way - there's just way too much lower hanging fruit

If it was me, just keep wiping those ETags: leave nothing to chance

@Thorin-Oakenpants
Automode means every site you follow opens in its own container by default, except if your custom rules says differently.

@lazyletucce
It should be enough, but it is not... see https://github.com/stoically/temporary-containers/issues/394

Cheers