🤔 PoC of Bromite detection. May block other misconfigured browsers as well.
Some users are really naughty, hiding their real selves from websites. Let's fix that hmm?
- ESBuild
- Deno
- Install Deno.
- Download the pre-built script
deno.jsfromdist/or releases. - Run
deno run --allow-net deno.js.
Cloudflare Workers isn't supported because I'm lazy 🤪. Supporting it should be easy enough though!
- Create a playground on Deno Deploy.
- Paste and deploy the pre-built script.
(last updated on 24 July 2022)
Bromite claims to be a privacy-respecting browser, but its actual implementations can be questionable: some causing headaches for web developers like me, and some outright exploitable to deny its access. This isn't trying to downplay their work, but to point out how they can do a little bit better.
Client hints was first introduced to Chromium 85, as a way for server to tailor resources sent to clients better. While Google claimed it as a "more privacy respecting" way than using user agent strings, I find their explanation pretty laughable: when did providing more data points to the server to fingerprint clients become privacy respecting?
Since Chromium 89, client hints was pushed as a "feature" to every installation of Chromium browsers. Some browsers based on Chromium try to spoof it, or to deny its functionality entirely. Bromite didn't do anything towards client hints at first (see the ~95 method of detection), then chose to strip it entirely. In short, Bromite's approach is wrong, and this PoC is just a way of showing why it's wrong.
See my Telegram channel.
Implemented. See my Telegram channel.