Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

web_accessible_resources and UUID leaking #100

Closed
atomGit opened this issue Sep 27, 2020 · 3 comments
Closed

web_accessible_resources and UUID leaking #100

atomGit opened this issue Sep 27, 2020 · 3 comments

Comments

@atomGit
Copy link

atomGit commented Sep 27, 2020

i was just doing some long overdue reading on how extensions (and in turn the browser) can be fingerprinted and i see that if an ext. uses "web_accessible_resources" (and JS is enabled), it's possible for a website to get the UUID of the ext.

in the CRX manifest i'm seeing "web_accessible_resources" and i'd just like to get your take on whether it may be affected by this

Bug 1405971
@Rob--W
Copy link
Owner

Rob--W commented Sep 27, 2020

I just double-checked, and no, my extension does NOT leak the origin/UUID.
My extension only issues HTTP GET requests, and someone previously reported that GET requests (i.e. the most common form of HTTP requests) are not affected by the bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1405971#c46 .

Side note, whether web_accessible_resources is used or not, if the receiving site receives the Origin/UUID, then they will still be able to have a stable identifier of the client. The only thing that web_accessible_resources does is allowing anyone with knowledge of the UUID to detect whether it's the same client (i.e. active fingerprinting).

Side note 2: I guess that I can remove web_accessible_resources from my extension. I'm not sure why it's there (possibly to work around a bug in Chrome), but in any case it is not necessary for the core functionality of the extension.

@atomGit
Copy link
Author

atomGit commented Sep 27, 2020

thanks Rob - since you're planning on removing web_accessible_resources i'll leave this open for you to close

@atomGit
Copy link
Author

atomGit commented Sep 27, 2020
edited
Loading

ps: you seem pretty familiar with this so maybe this is not needed, but here's some additional info if interested

Rob--W added a commit that referenced this issue Feb 8, 2021
@Rob--W
Remove web_accessible_resources (#100)
d5ff245
Rob--W added a commit that referenced this issue Mar 28, 2022
@Rob--W
Version 1.6.12
dde770e 
- Rely on CORS instead of work-arounds for public XPI files from AMO (#92)
- Add work-around for crx access in Brave (#91)
- Support source viewing of extensions from Microsoft Edge (#95)
- Remove web_accessible_resourced to avoid UUID leak (#100)
- Correct 0-padding of hashes (#104)
- Update jsbeautifier to v1.14.0 (#110)
- Support source viewing of extensions from Thunderbird (#111)
- Fix domain front of AMO in Firefox add-on (#115)
- Recognize CRX3 files served by addons.opera.com (#118)
- Opera only: Add work-around to access addons.opera.com (#119)
- web only: Add crx keyword to input field for keyword search (#99)
- web only: Avoid breakage of web version when an extension runs a script (#113)
- Refactor: remove unsupported declarativeWebRequest path
- Refactor: Use declarative page actions to show button.
@Rob--W Rob--W closed this as completed Mar 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rob--W @atomGit