Skip to content

Don't block fingerprinting in extension pages #15931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 18, 2022
Merged

Don't block fingerprinting in extension pages #15931

merged 1 commit into from
Nov 18, 2022

Conversation

arthuredelstein
Copy link
Collaborator

@arthuredelstein arthuredelstein commented Nov 13, 2022
edited
Loading

Resolves brave/brave-browser#26715

Submitter Checklist:

  • I confirm that no security/privacy review is needed, or that I have requested one
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally: npm run test -- brave_browser_tests, npm run test -- brave_unit_tests, npm run lint, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

@arthuredelstein arthuredelstein marked this pull request as draft November 13, 2022 19:27
@arthuredelstein arthuredelstein marked this pull request as ready for review November 14, 2022 16:36
@arthuredelstein arthuredelstein enabled auto-merge (squash) November 18, 2022 18:09
@arthuredelstein arthuredelstein merged commit f091847 into master Nov 18, 2022
@arthuredelstein arthuredelstein deleted the issues/26715 branch November 18, 2022 19:30
@github-actions github-actions bot added this to the 1.47.x - Nightly milestone Nov 18, 2022
brave-builds pushed a commit that referenced this pull request Nov 18, 2022
@brave-browser-releases
Uplift of #15931 (squashed) to beta
221c62e
brave-builds pushed a commit that referenced this pull request Nov 18, 2022
@brave-browser-releases
Uplift of #15931 (squashed) to release
a3bfced
This was referenced Nov 18, 2022
Merged
Merged
@LaurenWags
Copy link
Member

LaurenWags commented Nov 21, 2022
edited
Loading

Verified with

Brave | 1.47.90 Chromium: 108.0.5359.48 (Official Build) nightly (x86_64)
-- | --
Revision | 18ceeca0d99318e70c00d2e04d88aa55488b5c63-refs/branch-heads/5359@{#854}
OS | macOS Version 12.6.1 (Build 21G217)
Reproduced the issue in 1.45.127

Reproduced the issue described in brave/brave-browser#26715 (comment) using 1.45.127

  1. Ensured BraveScreenFingerprintingBlockerStudy:Enabled on brave://version (Release channel has this at 50%, so may need a few attempts to get this enabled)
  2. Confirmed no login window shows on 1.45.x when clicking on the "Line" extension icon with the BraveScreenFingerprintingBlockerStudy is enabled.
  3. Confirmed shortened display of Bitwarden popup when BraveScreenFingerprintingBlockerStudy is enabled.
brave://version Line Extension Bitwarden Extension
1 45 x 1 1 45 x 2 1 45 x 3
Part A of test plan - PASSED

Verified the test plan from brave/brave-browser#26715 (comment) - Part A:

Using 1.47.90, verified both extensions listed in brave/brave-browser#26715 (comment) worked as described when BraveScreenFingerprintingBlockerStudy is enabled.

brave://version Line Extension Bitwarden Extension
1 47 x 1 1 47 x 2 1 47 x 3
Part B of test plan - PASSED

Verified the test plan from brave/brave-browser#26715 (comment) - Part B:

Using 1.47.90, run through the cases from brave/brave-browser#23170 (comment):

Case 1: 1st launch, no Griffin - PASSED

Steps:

  1. installed 1.47.90
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
  6. clicked on Generate fingerprints
  7. confirmed the This Page, Local Frame, and Remote Frame values were the same for each of the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
  2. moved the mouse around and examined the tracked events

Confirmed there was no farbling of the screen/window coordinates shown in the screenshot

step 3 step 7 step 9
3 7 9

Case 2: 2nd launch, Griffin-enabled study with Shields enabled- PASSED

(Continued from 1st launch, no Griffin test, above)
10. restarted Brave
11. opened brave://version
12. confirmed in the case you get BraveScreenFingerprintingBlockerStudy:Enabled (note, study is enabled at 100% on Nightly/Beta but only 50% on Release, so when testing on 1.45.x please be aware you may need a few attempts to get this study enabled)
13. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
14. clicked on Generate fingerprints
16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
17. moved the mouse around and examined the tracked coordinates

Confirmed the values for This Page were different from Local Frame and Remote Frame (which were both the same); the only four (4) trackable events were the mouseEvent.client(X/Y) coordinates

step 11 step 13 step 16
11 14 17

Case 3: 2nd launch, Griffin-enabled study with Shields disabled- PASSED

  1. continued from Case 2
  2. disable Shields in the Shields panel
  3. reload the https://dev-pages.brave.software/fingerprinting/farbling.html
  4. clicked on Generate fingerprints
  5. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
  6. disable Shields in the Shields panel
  7. moved the mouse around and examined the tracked coordinates

Confirmed all values were the same; no farbling was applied

brave://version shields down farbling.html screen.html
1 2 3 4

Case 4: relaunch, default/no study - PASSED

(Continued from 1st launch, no Griffin test, above)
10. restarted Brave
11. opened brave://version
12. confirmed in the case where BraveScreenFingerprintingBlockerStudy:Default (note, study is enabled at 100% on Nightly/Beta but only 50% on Release - this means I had to disable brave://flags#brave-block-screen-fingerprinting to test this on Nightly however when testing on Release 1.45.x please be aware you may need a few attempts to get this study as "Default".)
13. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
14. clicked on Generate fingerprints
15. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
16. moved the mouse around and examined the tracked coordinates

Confirmed there was no farbling of the screen/window coordinates shown in the screenshot

step 11 step 14 step 16
1 2 3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bridiver bridiver bridiver approved these changes

Assignees

@arthuredelstein arthuredelstein

Labels
None yet
Projects
None yet
Milestone
1.47.x - Release
Development

Successfully merging this pull request may close these issues.

Screen fingerprinting protection is applied to extensions pages
3 participants
@arthuredelstein @LaurenWags @bridiver