Audit `window.navigator`

[tomlowenthal]

window.navigator has a lot of interesting info in it, like descriptions of the current network connection properties. We should go through every item in that list, and remove ones which might be troublesome.

[bershanskiy]

Please note that there is also alias navigator (without window.).

One of the most interesting elements of navigator are Service Workers. For those who don't know: service workers don't have any permission system (allowed by default; Firefox at least has global flag to disable them, Chrome apparently doesn't). Service workers are made mostly to deliver push notifications, so allow site scripts to persist even after the site was closed (and, by default in Chrome, when the browser is closed and only Chrome "background process" is running). Also, they have access to the same powerfull APIs as regular sites, e.g. geolocation API (of course, if you give it permission). I remember that a while ago when mobile cracked down on location tracking by native mobile apps in background someone used service workers in a PWA to circumvent the ban. I don't think that was ever fixed, but I'm not sure.

[tomlowenthal]

@snyderp to audit and work out which things are okay and which need to be futzed with. [This issue is only to audit, actually fixing stuff will go in other issues.]

[pes10k]

Takeaways

• We should remove Network Connection API completely
• probably remove / fix .deviceMemory value
• bin or fix .hardwareConcurrency
• remove .keyboard
• bin maxTouchPoints (max 3?)
• require permission to access .mediaDevices (window.navigator.mediaDevices.enumerateDevices().then(console.log)) <- un-permissioned hardware leak)

caution items (no obvious harm, but likely little benefit)

• likely no benefit to the lock api (but no strong harm either)
• remove mediaSession (not clear if its

Properties

appCodeName
	hardcoded to "Mozilla"
	https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/frame/navigator_id.cc?rcl=33aca3f5322e887838abe41f887999551a935dc1&l=46

appName
	hardcoded to "Netscape"
	https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/frame/navigator_id.cc?rcl=33aca3f5322e887838abe41f887999551a935dc1&l=50

appVersion
	subset of UA

bluetooth
	gateway / interface to the unstable Bluetooth API.  All related functionality is disabled by default (on desktop at least)

clipboard
	gateway to the [Clipboard API](https://w3c.github.io/clipboard-apis/).  We don't seem to make any modifications to this

connection
	gateway to the [Network Information API](https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API).  We don't make any modifications.  FF exposes only in workers, Safari doesn't implement on desktop.  Mixed implementation info on mobile (Safari no, others yes)

cookieEnabled
	boolean value mirroring the Cookies permission (which all sites have access to by default)

credentials
	entry point to the [Credential Management API](https://w3c.github.io/webappsec-credential-management/).  I do not know if we make modifications, @pj might know

deviceMemory
	reports value as described by the [Device Memory API](https://w3c.github.io/device-memory/).  Rounded to one of the following values 0.25, 0.5, 1, 2, 4, 8

doNotTrack:
	null or true, depending on about://settings setting

geolocation:
	entry point to the [Geolocation API](https://w3c.github.io/geolocation-api/).  We don't modify, its permission based, and sites don't have permission by default.

hardwareConcurrency
	returns number of cores / processors.

keyboard
	entry point to [Keyboard API](https://developer.mozilla.org/en-US/docs/Web/API/Keyboard_API), which allows sites to determine keyboard layout.  Not permissioned, only in Chrome

language (string)
languages (array)
	preferred local, and array of all supported locals

locks
	entry point to the [Web Locks API](https://wicg.github.io/web-locks/) API.  Chrome only endpoint, allows for… well, obvious

maxTouchPoints
	[Pointer Events API](https://www.w3.org/TR/pointerevents2/), the number of touch points supported by the device.  

mediaCapabilities
	[Media Capabilities API](https://w3c.github.io/media-capabilities/) gives info about the hardware capabilities on the system (e.g. native mp4 decoder, etc).  We ship it behind a flag

mediaDevices
	[Media Devices API](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices).  Allows querying and accessing info about hardware.  Unpermissioned access to enumerate available devices.


mediaSessions
	[Media Session Standard](https://w3c.github.io/mediasession/).  Intended to allow websites to do things like interact with media keys, display information on phone lock screens, etc.  Firefox does not support, Safari doesn't seem to either.  [Seems only chrome](https://developer.mozilla.org/en-US/docs/Web/API/MediaSession)

mimeTypes
	returns an array describing the plugins who can deal with media on the given frame

onLine
	returns bool of whether the network connection is active

permissions
	array of permissions the page currently has

platform
	hardware info.  Currently tells the truth though can be fixed behind a "freeze user agent string".  Mirrors UA

plugins
	duh...

presentation
	entry point to the [Presentation API](https://w3c.github.io/presentation-api/).  Allows the browser to request access to additional screens (e.g. like a power point display).  Firefox supports behind flag, Safari does not

product
	fixed to "gecko"

productSub
	fixed to "20030107"

serviceWorker
	entry point to the [Service Worker API](https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API)

storage
	part of the [Storage API](https://storage.spec.whatwg.org/#storagemanager).  Allows sites to query how much storage they're allowed, and if its persistent, etc.

usb
	entry to the USB API

userActivation
	allows the page to query whether there has been a user gesture in the frame as defined in the [HTML spec](https://html.spec.whatwg.org/multipage/interaction.html#activation)

userAgent
	duh

vendor
	mirrors the value in the UA string

vendorSub
	fixed to empty string

webkitPersistentStorage
webkitTemporaryStorage
	deprecated aliases to what became localStorage and sessionStorage

[pes10k]

@tomlowenthal audit is above, there are several "yikes we should not ship that!" stuff i found. Leave this issue open to address? Create new issues for each one and close this one? Wait for next privacyconfab to discuss?

[tomlowenthal]

@pes IMO open separate issues for each item which needs individual treatment above and mention this issue so they're listed here. If those issues cover everything in this audit, then I'll convert this into an epic to cover all that work.

[pes10k]

@tomlowenthal done and done (most already had issues). I think this is good to go