Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The extension forcefully override navigator.hardwareConcurrency #2375

Open
kaplun opened this issue Dec 8, 2023 · 2 comments
Open

The extension forcefully override navigator.hardwareConcurrency #2375

kaplun opened this issue Dec 8, 2023 · 2 comments

Comments

@kaplun
Copy link

kaplun commented Dec 8, 2023

Description

When using DuckDuckGo Privacy Extension, the extension forcefully overrides the navigator.hardwareConcurrency information provided by the browser. This in turns causes many websites, services and extensions that probe this number to actually under-perform as they are going to assume there are only 2 CPU Logical Cores available instead of the actual number.

Steps to Reproduce

  1. Have DuckDuckGo Privacy Extension enabled
  2. Download e.g. some large files previously uploaded on https://drive.proton.me (Proton Drive employes parallelization in order to optimize download speed and decryption of e2ee files. With the extension enabled network utilization is suboptimal because only one block at a time is downloaded, instead of multiple parallel blocks.

Expected behavior:
Given how critical this number is for performance I'd expect as a user to have control whether this value is overridden by the extension or rather the real number of logical cores is exposed

Actual behavior:

Versions

  • Extension: 2023.11.17
  • Browser: Firefox (but actually any browser)
  • OS: Windows (but actually any OS)

Additional Information

The actual line enforcing this is here: https://github.com/search?q=repo%3Aduckduckgo%2Fduckduckgo-privacy-extension%20hardwareConcurrency&type=code

@sammacbeth
Copy link
Collaborator

Thanks for filing this. This is one of our fingerprinting protections - we fix this, and several other hardware values to the same value for all users to make it so this cannot be used for fingerprinting by trackers. Your example on proton.me seems to be a rare example of a site using navigator.hardwareConcurrency for its actual purpose, rather than fingerprinting, and our chosen value for it may be a bit low for most extension users.

I've opened duckduckgo/privacy-configuration#1679 to mitigate the issue on proton.me, and opened a task internally to discuss how to deal with valid usages of this API. If you know of other sites with issues, please let us know so we can mitigate any issues there too.

@knumat
Copy link

knumat commented May 16, 2024

I just ran into this issue with the Zoom Video SDK for Web (link). This JS library allows websites to embed video chat into a webpage. However, it has limited functionality on machines with limited computing power. Specifically, many features including video resolution (720p/1080p) and virtual background (image/blur) are restricted based on navigator.hardwareConcurrency. There are many references navigator.hardwareConcurrency in this file for various features.

While I know that I can exclude my site in the DuckDuckGo Privacy Essentials options, this SDK could be used on many different sites, and it is not intuitive or user-friendly to have to have to exclude every site. Also, this means that the rest of the DDG PE features are turned off for these sites.

I would suggest raising the number of reported cores from 2 to 8, similar to what Safari/WebKit does (link).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants