-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fingerprinting attribute: navigator.deviceMemory #1157
Fingerprinting attribute: navigator.deviceMemory #1157
Comments
Candidate solution: always return 1 (meaning 1 GB). The number is already limited to a power of two between 1/4 and 8 inclusive. @snyderp does not yet have crawl data about how widely this is used. |
relevant to #2655 |
So what is the plan for this? Do you want just to hard code Also, the same number is also exposed in HTTP header Client Hints with identifier |
SGTM, though fwiw I think this is a pretty low priority FP vector (though since the fix is easy, i think its good).
Yes, currently we dont' respect CH requests (thanks to great @jumde work). We may respect UA client-hint request if / when that becomes shipping |
Which versions of the browser does this include? I did some testing earlier and it seemed like Brave does send Client Hints, even when Shields are set to "Block device recognition". I used snaps package (which might not be an official one):
|
Is there a wiki page explaining how to prepare a PR? I'm asking because I would most likely would make a PR to the |
@bershanskiy we discussed and the plan forward is to just remove the API all together. So, no need to lie, we'll just not say anything at all |
Hey there @bershanskiy 😄 We don't have a wiki page (yet) helping with creation of a PR, but I can help guide you through that! First step would be to clone and build the project per the docs here: Once that finishes (ex: after you run The actual build process- it's up to you if you want to run it. It would be great to help ensure the code compiles, but at the same time, it can take several hours (6+ on a laptop) to compile the entire project (and you can submit patches without testing locally and maybe @snyderp or another one of us can help you test / verify) For submitting the patch, you'll want to fork the Tests are encouraged - although there's a learning curve. I'd be happy to help when you get further along |
Just to make sure: remove the API even if the shields are down, right? This includes Client Hints |
Thanks for the detailed explanation! The build time is the primary roadblock I face. As a daily driver, I use a laptop from ~2013 and Chromium takes 8-10 hours to compile. I tried to use cloud VMs, but they come with the usual inconveniences of being in the cloud. |
@bershanskiy - Client Hints should be disabled by default. Can you try to repro with the official Brave package? https://brave-browser.readthedocs.io/en/latest/installing-brave.html#linux I checked with Shields enabled/disabled and I don't see any Client Hints on this demo page: https://client-hints-demo.appspot.com/ |
@jumde Yes, official release has Client Hints disabled (I just tested). |
@bsclifton @snyderp
and
I prepared a more holistic patch that fixes (at least some of) the tests here. Please note that since these tests check existence (or rather absence) of I did not prepare a proper patch and PR for brave-core because I bet you have very specific guidelines how to do it but I could not find those. P.S.: Obviously, the hashes in the patches are incorrect. |
@bershanskiy thanks for all this! I appreciate all the work in this! @jumde or @bsclifton, it sounds like the PR process is a bit much for @bershanskiy (I can def understand). Is there anyway someone internally could either handle the PR, or point @bershanskiy to the relevant docs? |
also of interested maybe to @fmarier |
@snyderp To move this issue forward, I made a PR based on wiki instructions, this PR is basically what I posted above. The browser builds and passes manual tests, but there are no automatic tests yet. Are there instructions on how to add these tests and, more importantly, how to run them? |
Fantastic @bershanskiy ! Thanks! @fmarier @bsclifton @jumde can either of you point @bershanskiy towards where to find docs on writing good tests? It'd be great to pull this in if possible! |
Here's our wiki page on tests: |
Verification passed on
Verified the test plan from the description Verification passed on
Verified passed with
|
The original fix for this was reverted in brave/brave-core#6965. |
New solution tracked in #12348. |
From: brave/browser-laptop#14996
The attribute navigator.deviceMemory enables to obtain information about the device's memory (https://developer.mozilla.org/en-US/docs/Web/API/Navigator/deviceMemory). I consider it could be used as a fingerprinting vector.
Test Plan
The text was updated successfully, but these errors were encountered: