New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[very-wip][do not merge] Remove all site data after page exit #2182
base: master
Are you sure you want to change the base?
Conversation
a really strange thing happens: creepjs keeps the same fingerprinting hash between different sessions: tryed with official bromite arm64 version: happen tryed with official bromite x64 version: happen BUT tryed with the (my) x64 debug version: does not happen so i checked with browserstack and the same fingerprint is kept between equal devices, whatever version you use but the question is why in my debug version doesn't this happen? all suggestions are welcome, I almost ask the author of the library directly. |
@csagan5 can you try with your debug debug version in incognito mode? EDIT: I think I have found the culprit, now I have to figure out how to fix ... |
the problem was the random number generator, but I couldn't reproduce it anymore. that is, in my case, moreover, in that way I found the timezone bug and verified that, in my opinion, it is necessary to add some mitigation on the svg as well. on this last thing I already have a patch ready, later I make a pull request so we can talk about it. |
This would be a major security problem. What device did you use? Configuration? The most recent changes on that area of the kernel are these: https://www.theregister.com/2022/03/21/new_linux_kernel_has_improved/ But if you can reproduce that, it's a big issue (regardless if it is a bug in kernel or Android).
I do not follow, what do SVGs and timezones have in common? |
I started from this: and I noticed that, for intl and svg the values were always the same.
I'm currently testing it on a MI5 pro with lineageos A10:
I think the kernel/drivers is this, I think it is normal that they are not updated, and probably, like my device, there will be many others out of date.
I had seen that problem, basically now, although it is not able to give you a logical and rational reason for the problem, we could probably consider adding 1545096 but without actual testing I wouldn't know how effective it is. |
No, the random numbers source should not be changed without evidence of a problem. And if it is a problem as you describe it should have an upstream security issue.
This is not related, bounce tracking would work even when removing all site data after page exit. |
well, however, that's what major browsers basically currently do, and it's probably the only thing that can be done without breaking user navigation. |
accidentally I found that the same functionality exists in the desktop version, one more reason to try to bring it to android as well. |
I had been saying it for a long time, in the end I did.
as you may have guessed, all these patches are part of a series of checks that I am doing on the way that are used by the fingerpriting libraries
the idea is to delete all the data after exiting a page (
Page
in the sense of blink, i.e. same domain topframe) by (better) simulating the action of the famous cookie-auto-delete extension.testing it, neither creepjs nor fingerprintjs (which seem the best libraries to me) are able to link my activity during the same browsing session, a good result I think.
to do this I had to modify the
ConditionalCacheDeletionHelper
to allow selective deletion of all data for correctNetworkIsolation
, which is currently not managed in chromium.However, I would like to activate it only for always incognito and under a site setting: we would also have to separate the
LastTabStandingTracker
activation logic fromAdd lifetime options for permissions
patch.what do you think?