Closed TadaCZE closed 1 year ago
You are right that the object ChromeXt
is present in every page, any websites can detect it.
It is entry point how JavaScript codes communicate with native Java codes.
If this object is removed, then the Eruda
functionality is nolonger avaiable .
Moreover, any UserScripts require the object ChromeXt
to work.
Currently, there isn't a perfect solution to remove it while keep using other functionalities.
Any ideas on how to reduce this fingerprint are welcome.
It is possible to randomize the object name ChromeXt
.
However, one can then still detect ChromeXt
by checking the hooks made to the trustedTypes
API.
The main diffculty is to hook trustedTypes
API without being detected.
Here is a simple detector:
let hasChromeXt = false;
const policy = trustedTypes.createPolicy("detector", {});
try {
policy.createHTML("<html/>");
} catch (e) {
hasChromeXt = !e.message.includes(
"TrustedTypePolicyOptions did not specify a 'createHTML' member"
);
}
console.log("Found ChromeXt?", hasChromeXt);
When i visit the jingmatrix.github.io website, the website can detect the presence of ChromeXt. Does that mean any website can detect its presence? (I understand detecting eruda as it is injecting code into the website, but the website can detect it passively)
If so that can be a privacy concern. Could you optionally add a way to disable this functionality.