-
Notifications
You must be signed in to change notification settings - Fork 973
Fingerprinting protections bypassable #11683
Comments
@diracdeltas Re our conversation on slack. Happy to contribute a PR, but wanted to make sure my proposed solution was useful first. How does overwriting the getter for the following methods to return the blocking proxy sound?
This will break some patterns of cross domain access, but (hopefully?) this is very rare, and most of the world has moved on to "Channel Messaging" for these use cases. |
apparently i tried to address this attack vector in 7e55416#diff-7440f7b95ccc371bdd73dce0a6631831R928 but this code was subsequently removed in b310fb1 (not sure why) |
nvm, the attack vector above is somewhat different since it is for fingerprinting by creating canvas elements in an iframe, whereas this issue is for using prototype methods in the child frames to do fingerprinting in the parent frame. @snyderp your approach sounds good to me. |
QA steps: go to https://jsfiddle.net/3dhmjqco/1/ with fingerprinting protection on, it should show 1 fingerprinting method blocked. |
block access to fingerprinting methods pulled from child frames issue #11683
block access to fingerprinting methods pulled from child frames issue #11683
block access to fingerprinting methods pulled from child frames issue #11683
block access to fingerprinting methods pulled from child frames issue #11683
@srirambv @LaurenWags this needs to be checked as well.. @diracdeltas has provided QA instructions in #11683 (comment). |
PR has been reverted with fe2fced Re-opening so that we can look at a fix for 0.20.x |
Moving to 0.21.x (since this would be fixed by #12045) |
Test plan
Description
Many of the current fingerprinting protections rely on removing references to methods from the global object. However, you can get alternate references to the same methods by inserting a configured iframe element and grabbing the references off
iframe.contentWindow
oriframe.contentDocument
.Steps to Reproduce
Actual result:
You can get references to the fingerprinting related methods.
Expected result:
You shouldn't be able to get to these methods.
Reproduces how often: 100%
Brave Version
All versions
Reproducible on current live release:
Yes
The text was updated successfully, but these errors were encountered: