Is ChromeXt making me more fingerprintable?

JingMatrix / ChromeXt

UserScript and DevTools supports for Chromium based and WebView based browsers

https://jingmatrix.github.io/ChromeXt/

GNU General Public License v3.0

653 stars 36 forks source link

Is ChromeXt making me more fingerprintable? #98

Closed TadaCZE closed 1 year ago

TadaCZE commented 1 year ago

When i visit the jingmatrix.github.io website, the website can detect the presence of ChromeXt. Does that mean any website can detect its presence? (I understand detecting eruda as it is injecting code into the website, but the website can detect it passively)

If so that can be a privacy concern. Could you optionally add a way to disable this functionality.

JingMatrix commented 1 year ago

You are right that the object ChromeXt is present in every page, any websites can detect it. It is entry point how JavaScript codes communicate with native Java codes. If this object is removed, then the Eruda functionality is nolonger avaiable .

Moreover, any UserScripts require the object ChromeXt to work. Currently, there isn't a perfect solution to remove it while keep using other functionalities. Any ideas on how to reduce this fingerprint are welcome.

JingMatrix commented 1 year ago

It is possible to randomize the object name ChromeXt. However, one can then still detect ChromeXt by checking the hooks made to the trustedTypes API. The main diffculty is to hook trustedTypes API without being detected.

Here is a simple detector:

let hasChromeXt = false;
const policy = trustedTypes.createPolicy("detector", {});
try {
  policy.createHTML("<html/>"); 
} catch (e) {
  hasChromeXt = !e.message.includes( 
    "TrustedTypePolicyOptions did not specify a 'createHTML' member"
  );
}
console.log("Found ChromeXt?", hasChromeXt);