fingerprinting protection #44
Conversation
| @@ -342,6 +343,11 @@ bool HTMLCanvasElement::ShouldBeDirectComposited() const { | ||
| } | ||
|
|
||
| bool HTMLCanvasElement::IsPaintable() const { |
There was a problem hiding this comment.
does isPaintable correspond to whether the canvas element is writable? Currently we block reading from the canvas when fingerprintingProtection is enabled, but we still allow writing to the canvas. I think blocking write is going to cause more webcompatibility issues since I imagine there are legitimate apps that only write to the canvas and never read it (but not vice versa). not sure though
There was a problem hiding this comment.
@bridiver wanted it this way but he's on vacation this week, so we might have to wait a bit for a response.
There was a problem hiding this comment.
I think what isPaintable mainly does for fingerprinting protection is blocking toDataURL and toBlob, but it seems some info could still be read from canvas&webgl without using toDataURL/toBlob.
And since this patch is no longer applicable because of C65 upgrade, I went ahead revising the implementation to blocking canvas/webgl read functions while rebasing.
I'll push the revised implementation for review in a sec.
|
cc @bridiver to give feedback when you're back. |
yrliou
force-pushed
the
fingerprinting_protection
branch
from
4a4a0af
to
73b9f45
Compare
| peer_handler_.reset(); | ||
| } | ||
|
|
||
| +bool RTCPeerConnection::AllowFingerprinting() { |
There was a problem hiding this comment.
can we make this a static method in a src/brave header file to minimize the patch size? Passin the LocalFrame maybe?
yrliou
changed the title
|
@diracdeltas @bridiver PR is updated, please review it again, thanks. |
|
Two thoughts / comments One, it might be worth slightly changing the structure, to pass some id for each feature, to a larger "should block" function, that could be used in the future to implement more complex "should this be blocked" policies. Two, this doesn't use the current "return a self-trapping" proxy approach. From my pre-Brave measurements, using the proxy approach was useful for preventing some site breakage. Not so much for these specific methods, but for others that might be candidates for blocking / restricting going forward. |
|
Thanks for the comments, @snyderp. I think passing IDs is doable under current structure and would be useful when we need this info in the future such as reporting more details or providing more fine-grained controls. Though I would prefer to not include this in this PR and add it later when we develop those features in the future. Not so sure about what you mean by the proxy approach, do you mean the one we have in browser-laptop repo which was written in JS? |
|
@yrliou yup, there was a proxy approach to fingerprinting added in brave/browser-laptop#10287 to reduce breakage i don't think it's necessary for this PR though |
|
does this also block SVG tracking (brave/browser-laptop#10288) and webrtc IP leaks (test page: https://diafygi.github.io/webrtc-ips/)? |
| diff --git a/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp b/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp | ||
| index 94de909f954d2f4638a89aa37575e39626989ae8..af75c5cab46c04cef8ccb39fcc88f7b8b6631ee5 100644 | ||
| --- a/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp | ||
| +++ b/third_party/WebKit/Source/modules/canvas/canvas2d/CanvasRenderingContext2D.cpp |
There was a problem hiding this comment.
does this also need to block getImageData and getLineDash?
There was a problem hiding this comment.
yes, I missed these two methods in the first place, thanks for pointing it out!
|
@diracdeltas SVG is not added yet, but webrtc IP is already covered. |
|
I'll add SVGTextContentElement::getComputedTextLength and SVGPathElement::getTotalLength tonight along with rebase & squash commits. |
yrliou
force-pushed
the
fingerprinting_protection
branch
from
babae6b
to
d23bfc6
Compare
|
canvas2D's getImageData, getLineDash and above two SVG methods are added. |
| } | ||
|
|
||
| -const Vector<double>& BaseRenderingContext2D::getLineDash() const { | ||
| +const Vector<double>& BaseRenderingContext2D::getLineDash(ScriptState* script_state) const { |
There was a problem hiding this comment.
Per slack discussion with @bridiver, move canvas blocking into BaseRenderingContext2D to cover OffscreenCanvasRenderingContext2D & PaintRenderingContext2D.
| data.ReadAutoplayRules(&out->autoplay_rules) && | ||
| - data.ReadClientHintsRules(&out->client_hints_rules); | ||
| + data.ReadClientHintsRules(&out->client_hints_rules) && | ||
| + data.ReadFingerprintingRules(&out->fingerprinting_rules); |
There was a problem hiding this comment.
you can make this patch a little smaller by adding it before the last item
| void BraveSpecificDidBlockJavaScript( | ||
| const base::string16& details); | ||
|
|
||
| void BraveSpecificDidBlockFingerprinting( |
There was a problem hiding this comment.
we don't need BraveSpecific here. I think that was just added to the JavaScript one to differentiate it from the standard DidBlockJavaScript method
|
Congratulations on the merge, amazing work! 💯 |
initialize independently of wallet creation
do not show badge text if there are no resources blocked
* Initial commit * Added SetTimer and OnTimer * Added missing #include for wallet_info data structure * Added catalog issuers data structure * Added OnCatalogIssuersChanged * Added OnTimer * Changed LOG to BLOG due to conflicts with base:: * wip, builds * build w/ all class code * port steps 1-5 * match server regex update * Integration for brave-core * Temporarily use std::cout instead of BLOG due to build issues * Resolve linking issue with IsReadyToShowAds * Only start filling confirmations, retrieving payments and cashing in payments once initialized * Revert "Temporarily use std::cout instead of BLOG due to build issues" This reverts commit 7baad78. * Refactor to use callbacks * Improve logging to help diagnose issues * Confirmations fails to initialize when creating a new wallet (#42) * Improve logging to help diagnose issues (#43) * Confirmations fails to initialize when creating a new wallet (#44) * Ads Serve failures should retry (#45) * Resolves initiating profile DCHECK failure (#47) * Improve logging to help diagnose issues (#48) * Fix unit test build errors #53 (#54) * Changes to how unblind and BatchDLEQProof::verify are being called in challenge-bypass-ristretto-ffi * Decouple refill tokens * Decouple redeem token * Decouple payout tokens * Added Ads Serve helper * Decouple security into security helper * Updated static values * Updated BUILD.gn * Refactor ConfirmationsImpl to use decoupled logic * Added string helper * Remove unused HappyHTTP dependency * Add support for _is_production flag to choose between production and staging environments * refactor dependencies * Decoupled unblinded tokens and url request builder for unit tests * Resolve compiler errors and decouple logic in preparation for unit testing * Added unit tests * Fix build for Windows/Linux * Fix linter errors * Confirmations should not be initialized if the wallet is invalid * Removed unecessary boolean logic * Return if wallet info is not ready * Fix build error * Fix header files * Fix unit tests * Remove redundant #include for unblinded_tokens.h * Fixed unit test #include paths * Revert "Remove redundant #include for unblinded_tokens.h" This reverts commit 35f055e82f0a22428c600360a75336351f34458d. * Remove redundant #include for unblinded_tokens.h * Fixed unit test #include paths * Refactor new to unique_ptr for unit tests * Remove logging for unit tests * Resolved lint error * Added README.md * Fixed linter errors * Fix Linux and Windows build errors * Resolve logging issue with wallet info * Add support for VLOG to help reduce noise in logs for INFO * Added ability to retrieve transaction history * Fixed build error and refactored ctime to use base::Time * Redeem tokens when notifications are viewed * Update client when transaction history changes * Reduced maximum persisted unblinded tokens from 100 to 50 Reduced maximum persisted unblinded tokens from 100 to 50 to reduce the chance that the server fails to generate the tokens before the next request. If the server still does not generate the tokens in time we retry after 15 seconds. * Updated Copyright in BUILD.gn * Updated README.md * Revert "Merge pull request #75 from brave-intl/issues/52" This reverts commit fc7de34, reversing changes made to 211e767. * Fixed unit tests
split patches w/ no "deleted" patch
split patches w/ no "deleted" patch
split patches w/ no "deleted" patch
This PR implements canvas, WebGL, WebRTC, AudioContext/AudioBuffer fingerprinting protection which is disabled by default.
Allowing and blocking all fingerprinting are implemented, allowing 3rd-party fingerprinting is not supported yet.
Tests:
Use https://panopticlick.eff.org/ to test, the hash value of canvas & webgl fingerprinting should be the same as below when fingerprinting protection is enabled, and the shield panel should show 2 fingerprinting methods blocked.
canvas: cf04c1dcb26ef79705764e5c22d0e711
webgl: undetermined
fixes: brave/brave-browser-snap#11
requires: brave/brave-extension#11