-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fingerprinting screen coordinates #23170
fingerprinting screen coordinates #23170
Comments
Re-opening because commit was reverted because of a crash. |
@brave/qa-team can probably use brave/brave-variations#362 (comment) as a template of what should be checked. However, remember that this is being enabled via Griffin so enabling the feature via |
Verification
|
Brave | 1.45.85 Chromium: 106.0.5249.91 (Official Build) beta (x86_64) |
---|---|
Revision | fa96d5f07b1177d1bf5009f647a5b8c629762157-refs/branch-heads/5249@{#707} |
OS | macOS Version 11.7 (Build 20G817) |
Case 1: 1st launch, no Griffin - PASSED
Steps:
- installed
1.45.85
- launched Brave
- opened
brave://version
- confirmed no Griffin studies listed
- loaded
https://dev-pages.brave.software/fingerprinting/farbling.html
- clicked on
Generate fingerprints
- confirmed the
This Page
,Local Frame
, andRemote Frame
values were the same for each of the following:
Screen resolution
Screen resolution media query
Available screen resolution
- loaded
https://arthuredelstein.github.io/tracking_demos/screen.html
- moved the mouse around and examined the tracked events
Confirmed there was no farbling of the screen/window coordinates shown in the screenshot
brave://version |
dev-pages.brave.software/.../farbling.html |
arthuredelstein.github.io/.../screen.html |
---|---|---|
Case 2: 2nd launch, Griffin-enabled study (50%) - PASSED
(Continued from 1st launch, no Griffin
test, above)
10. restarted Brave
11. opened brave://version
12. confirmed in the 50%-chance case you get BraveScreenFingerprintingBlockerStudy:Enabled
13. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
14. clicked on Generate fingerprints
15. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
16. moved the mouse around and examined the tracked coordinates
Confirmed the values for This Page
were different from Local Frame
and Remote Frame
(which were both the same); the only four (4) trackable events were the mouseEvent.client(X/Y) coordinates
brave://version |
dev-pages.brave.software/.../farbling.html |
arthuredelstein.github.io/..../screen.html |
---|---|---|
Case 3: 2nd launch, default/no study (50%) - PASSED
(Continued from 1st launch, no Griffin
test, above)
10. restarted Brave
11. opened brave://version
12. confirmed in the other 50%-chance case I got BraveScreenFingerprintingBlockerStudy:Default
13. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
14. clicked on Generate fingerprints
15. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
16. moved the mouse around and examined the tracked coordinates
Confirmed all values were the same; no farbling was applied
brave://version |
dev-pages.brave.software/.../farbling.html |
arthuredelstein.github.io/..../screen.html |
---|---|---|
Verification
Case 1: 1st launch, no Griffin -
|
step 3 |
step 5 |
step 8 |
---|---|---|
Case 2: 2nd launch, Griffin-enabled study (50%) with Shields enabled- PASSED
(Continued from 1st launch, no Griffin
test, above)
10. restarted Brave
11. opened brave://version
12. confirmed in the 50%-chance case you get BraveScreenFingerprintingBlockerStudy:Enabled
13. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
14. clicked on Generate fingerprints
16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
17. moved the mouse around and examined the tracked coordinates
Confirmed the values for This Page
were different from Local Frame
and Remote Frame
(which were both the same); the only four (4) trackable events were the mouseEvent.client(X/Y) coordinates
step 11-12 | step 13 |
step 16 |
---|---|---|
Case 3: 2nd launch, Griffin-enabled study (50%) with Shields disabled- PASSED
- continued from Case 2
- disable Shields in the Shields panel
- reload the https://dev-pages.brave.software/fingerprinting/farbling.html
- clicked on
Generate fingerprints
- loaded https://arthuredelstein.github.io/tracking_demos/screen.html
- moved the mouse around and examined the tracked coordinates
brave://version |
shields down` | farbling.html |
screen.html |
---|---|---|---|
Confirmed all values were the same; no farbling was applied
Case 4: 3rd launch, default/no study (50%) - PASSED
(Continued from 1st launch, no Griffin
test, above)
10. restarted Brave
12. opened brave://version
13. confirmed in the other 50%-chance case I got BraveScreenFingerprintingBlockerStudy:Default
14. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
15. clicked on Generate fingerprints
16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
17. moved the mouse around and examined the tracked coordinates
Confirmed all values were the same; no farbling was applied
step 11 |
step 13 |
step 15 |
---|---|---|
Verification passed on
Brave | 1.45.90 Chromium: 106.0.5249.103 (Official Build) beta (64-bit) |
---|---|
Revision | 182570408a1f25ab2731ef5f283b918df9b9f956-refs/branch-heads/5249_91@{#6} |
OS | Ubuntu 18.04 LTS |
Case 1: 1st launch, no Griffin - PASSED
Steps:
- installed
1.45.x
- launched Brave
- opened
brave://version
- confirmed no Griffin studies listed
- loaded
https://dev-pages.brave.software/fingerprinting/farbling.html
- clicked on
Generate fingerprints
- confirmed the
This Page
,Local Frame
, andRemote Frame
values were the same for each of the following:
Screen resolution
Screen resolution media query
Available screen resolution
- loaded
https://arthuredelstein.github.io/tracking_demos/screen.html
- moved the mouse around and examined the tracked events
Confirmed there was no farbling of the screen/window coordinates shown in the screenshot
Case 2: 2nd launch, Griffin-enabled study (50%) with Shields enabled- PASSED
(Continued from 1st launch, no Griffin
test, above)
10. restarted Brave
11. opened brave://version
12. confirmed in the 50%-chance case you get BraveScreenFingerprintingBlockerStudy:Enabled
13. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
14. clicked on Generate fingerprints
16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
17. moved the mouse around and examined the tracked coordinates
Confirmed the values for This Page
were different from Local Frame
and Remote Frame
(which were both the same); the only four (4) trackable events were the mouseEvent.client(X/Y) coordinates
Case 3: 2nd launch, Griffin-enabled study (50%) with Shields disabled- PASSED
- continued from Case 2
- disable Shields in the Shields panel
- reload the https://dev-pages.brave.software/fingerprinting/farbling.html
- clicked on
Generate fingerprints
- loaded https://arthuredelstein.github.io/tracking_demos/screen.html
- moved the mouse around and examined the tracked coordinates
Confirmed all values were the same; no farbling was applied
Case 4: 3rd launch, default/no study (50%) - PASSED
(Continued from 1st launch, no Griffin
test, above)
10. restarted Brave
12. opened brave://version
13. confirmed in the other 50%-chance case I got BraveScreenFingerprintingBlockerStudy:Default
14. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
15. clicked on Generate fingerprints
16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
17. moved the mouse around and examined the tracked coordinates
Description
Most browsers leak information about the user's display outside the content viewport, including screen width and height, the position of a browser window in the screen, and the difference between viewport and window dimensions. This information constitutes a fingerprinting vectors that is exposed to content JS and CSS. APIs that leak this information include:
window.screen
object leaks information about the screen size:window.screen.width
window.screen.height
window.screen.availWidth
window.screen.availHeight
window.screen.availLeft
window.screen.availTop
window.screen.isExtended
(leaks whether the user has multiple monitors)Media queries also leak screen dimensions:
device-width
device-height
window
properties leak absolute coordinates of the position and outer boundary of the browser window:window.screenX
window.screenY
window.outerWidth
window.outerHeight
Pointing event screen coordinates (
MouseEvent
,TouchEvent
,DragEvent
,PointerEvent
) can also be used to computed the window's position on the screen:event.screenX
event.screenY
We want to hide this information from visited websites. The plan is to farble all of these APIs, meaning we spoof the values and also add a domain/session-keyed pseudorandom component to each of them.
We plan to enable the protection under standard (default) and aggressive fingerprinting modes, so that the user can disable them by lowering shields or setting "allow fingerprinting". In addition, we bind the protections to a flag so that they can be remotely disabled using griffin.
Steps to Reproduce
Visit https://arthuredelstein.github.io/tracking_demos/screen.html to see how screen size is revealed.
Actual result:
Example:
Also:
Desired result:
Content should not be given true information about screen dimensions or window position.
Reproduces how often:
Always
Brave version:
All versions
The text was updated successfully, but these errors were encountered: