Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy issue: X-Edge-Shopping-Flag sent to bing.com #3365

Closed
RendijsSmukulis opened this issue Apr 6, 2023 · 4 comments
Closed

Privacy issue: X-Edge-Shopping-Flag sent to bing.com #3365

RendijsSmukulis opened this issue Apr 6, 2023 · 4 comments
Assignees
@ningccn @xu-ms
Labels
bug Something isn't working tracked We are tracking this work internally.

Comments

@RendijsSmukulis
Copy link

RendijsSmukulis commented Apr 6, 2023
edited by champnic
Loading

Description

When navigating to bing.com with an app that uses WebView2, the headers include an unexpected X-Edge-Shopping-Flag, which increase the likelihood the browser can be fingerprinted. Chromium does not include this header.

Version
SDK: 1.0.1619-prerelease
Runtime: Evergreen (109.0.1518.52)
Framework: WPF
OS: Win11 22H2 (OS Build 22621.521)

Repro Steps

  • Open fiddler
  • Navigate to bing.com
  • Observe X-Edge-Shopping-Flag is present in the headers

AB#44083061
@RendijsSmukulis RendijsSmukulis added the bug Something isn't working label Apr 6, 2023
@ningccn
Copy link

ningccn commented Apr 7, 2023

thank you for your feedback for this issue. We will investigate.

@novac42 novac42 added the tracked We are tracking this work internally. label Apr 7, 2023
@xu-ms
Copy link

xu-ms commented Apr 10, 2023

@RendijsSmukulis
Thank you for your feedback. We investigated this issue. We have identified the root cause of the problem, and we will keep you updated on any further developments. Please let us know if you have any further questions or concerns in the meantime.

@novac42
Copy link
Contributor

novac42 commented Apr 19, 2023

@RendijsSmukulis Update: as @xu-ms mentioned earlier we have identified the root cause, and the fix is in pipeline to remove the flag in the request header. And we just want to clarify that since shopping feature is disabled in WebView2, it doesn't provide additional information about the user's configuration, as all it does is to identify the client as Edge version >= min version that provides this header (which is already provided by the UA string). Please let us know if there's more concern. Thanks!

@champnic
Copy link
Member

We've fixed this in runtimes version 113.0.1774.17+. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ningccn ningccn

@xu-ms xu-ms

Labels
bug Something isn't working tracked We are tracking this work internally.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@RendijsSmukulis @novac42 @champnic @ningccn @xu-ms