Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

navigator.userAgent not farbled properly in dynamic iframes #26700

Closed
pilgrim-brave opened this issue Nov 11, 2022 · 7 comments · Fixed by brave/brave-core#15917
Closed

navigator.userAgent not farbled properly in dynamic iframes #26700

pilgrim-brave opened this issue Nov 11, 2022 · 7 comments · Fixed by brave/brave-core#15917
Assignees
@pilgrim-brave
Labels
feature/shields The overall Shields feature in Brave. OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include
Milestone
1.46.x - Release #3

Comments

@pilgrim-brave
Copy link

See third-party test page here: https://arkenfox.github.io/TZP/tzp.html

With "aggressively block fingerprinting" setting, spaces are pseudo-randomly added to navigator.userAgent. Some dynamically created iframes are producing a hash that matches the unfarbled navigator.userAgent, suggesting that farbling is not happening in those iframes.
@pilgrim-brave pilgrim-brave self-assigned this Nov 11, 2022
@pilgrim-brave pilgrim-brave mentioned this issue Nov 11, 2022
Merged
25 tasks
@rebron rebron added the priority/P3 The next thing for us to work on. It'll ride the trains. label Nov 11, 2022
@brave-builds brave-builds added this to the 1.48.x - Nightly milestone Dec 1, 2022
@rebron rebron added priority/P2 A bad problem. We might uplift this to the next planned release. and removed priority/P3 The next thing for us to work on. It'll ride the trains. labels Dec 2, 2022
@pilgrim-brave
Copy link
Author

STR:

Control:

  • visit https://arkenfox.github.io/TZP/tzp.html#useragent
  • verify Shields are up (default) and set to "block fingerprinting" (default)
  • note value next to hash field in table
  • next to "iframes" click "show" to reveal 7 more hash values
  • all 8 hash values should match

Test:

  • change Shields to "aggressively block fingerprinting"
  • note value next to hash field in table
  • next to "iframes" click "show" to reveal 7 more hash values
  • all 8 hash values should match

@kjozwiak
Copy link
Member

kjozwiak commented Dec 6, 2022

STR:

Control:

  • visit https://arkenfox.github.io/TZP/tzp.html#useragent
  • verify Shields are up (default) and set to "block fingerprinting" (default)
  • note value next to hash field in table
  • next to "iframes" click "show" to reveal 7 more hash values
  • all 8 hash values should match

Test:

  • change Shields to "aggressively block fingerprinting"
  • note value next to hash field in table
  • next to "iframes" click "show" to reveal 7 more hash values
  • all 8 hash values should match

Thanks @pilgrim-brave 👍 @brave/qa-team example of the verification can also be seen via brave/brave-core#15917 (comment). You'll notice that the hashes under https://arkenfox.github.io/TZP/tzp.html#useragent are not matching with affected builds when FP is set as Strict.

@kjozwiak kjozwiak added OS/Android Fixes related to Android browser functionality QA/Test-All-Platforms labels Dec 6, 2022
This was referenced Dec 6, 2022
Merged
Merged
@kjozwiak
Copy link
Member

kjozwiak commented Dec 6, 2022

The above requires 1.46.138 or higher for 1.46.x verification 👍

@kjozwiak
Copy link
Member

kjozwiak commented Dec 7, 2022

Verification PASSED on Pixel 6 running Android 13 using the following build(s):

Brave | 1.46.138 Chromium: 108.0.5359.94 (Official Build) (32-bit)
--- | ---
Revision | 713576b895246504ccc6b92c2fb8ce2d60194074-refs/branch-heads/5359_71@{#3}
OS | Android 13; Build/TQ1A.221205.011

Using the STR/Cases outlined via #26700 (comment), went through the following:

FP set as Standard

Example Example
Screenshot_20221207-031911 Screenshot_20221207-031918

FP set as Strict

Example Example
Screenshot_20221207-031937 Screenshot_20221207-031948

Verification PASSED on Samsung Galaxy Tab S8 Ultra running Android 13 using the following build(s):

Brave | 1.46.138 Chromium: 108.0.5359.94 (Official Build) (32-bit)
--- | ---
Revision | 713576b895246504ccc6b92c2fb8ce2d60194074-refs/branch-heads/5359_71@{#3}
OS | Android 13; Build/TP1A.220624.014

Using the STR/Cases outlined via #26700 (comment), went through the following:

FP set as Standard

Screenshot_20221207_032437_Brave

FP set as Strict

Screenshot_20221207_032458_Brave

@srirambv srirambv mentioned this issue Dec 7, 2022
Closed
@LaurenWags
Copy link
Member

LaurenWags commented Dec 7, 2022
edited
Loading

Verified with

Brave | 1.46.138 Chromium: 108.0.5359.94 (Official Build) (x86_64)
-- | --
Revision | 713576b895246504ccc6b92c2fb8ce2d60194074-refs/branch-heads/5359_71@{#3}
OS | macOS Version 12.6.1 (Build 21G217)

Went through the STR/Cases outlined via #26700 (comment) and ensured that the hashes under https://arkenfox.github.io/TZP/tzp.html#useragent are matching once FP is set as Strict/Aggressive as per the following:

1.46.134 Chromium: 108.0.5359.94 (without fix) 1.46.138 Chromium: 108.0.5359.94 (with fix)
1 46 134 default 1 46 138 default
1 46 134 aggressive 1 46 138 aggressive

Note that once FP is set as Strict/Aggressive, the hashes under https://arkenfox.github.io/TZP/tzp.html#useragent are not matching with 1.46.134 Chromium: 108.0.5359.94 which doesn't have the fix but matches with 1.46.138 Chromium: 108.0.5359.94 which has the fix. As per brave/brave-core#15917 (comment), we don't need to worry about the Spaces.

@btlechowski
Copy link

Verification passed on

Brave 1.46.138 Chromium: 108.0.5359.94 (Official Build) (64-bit)
Revision 713576b895246504ccc6b92c2fb8ce2d60194074-refs/branch-heads/5359_71@{#3}
OS Ubuntu 18.04 LTS

Using the STR/Cases outlined via #26700 (comment), went through the following:

FP set as Standard

image
image

FP set as Aggressive

image
image

@MadhaviSeelam
Copy link

MadhaviSeelam commented Dec 7, 2022
edited
Loading

Verification PASSED using

Brave | 1.48.32 Chromium: 108.0.5359.94 (Official Build) nightly (64-bit)
-- | --
Revision | 713576b895246504ccc6b92c2fb8ce2d60194074-refs/branch-heads/5359_71@{#3}
OS | Windows 11 Version 21H2 (Build 22000.1219)

Verified using STR from #26700 (comment) and ensured that the hashes under https://arkenfox.github.io/TZP/tzp.html#useragent are matching once FP is set as Strict/Aggressive as per the following:

FP set as Standard

hash iframes
image image

FP set as Aggressive

hash iframes
image image

@LaurenWags LaurenWags mentioned this issue Dec 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pilgrim-brave pilgrim-brave

Labels
feature/shields The overall Shields feature in Brave. OS/Android Fixes related to Android browser functionality OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. QA Pass - Android ARM QA Pass - Android Tab QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Yes release-notes/include
Projects
None yet
Milestone
1.46.x - Release #3
Development

Successfully merging a pull request may close this issue.

Get proper content settings client for iframes brave/brave-core
7 participants
@kjozwiak @rebron @LaurenWags @btlechowski @pilgrim-brave @brave-builds @MadhaviSeelam