Closed lachlansleight closed 3 years ago
This might be intentional - I think we're disabling certain APIs by default cc: @pes10k
This is a side effect of us disabling WebUSB, since it (with the gamepad API) allows sites to fingerprint you based on your attached hardware.
@bsclifton we could consider moving these features behind shield instead of outright disabling though. That would be useful for folks ok with dropping shields to accomplish some non-common task on a page (gamepad use, for example) though would make things more difficult implementation wise. What do ya think?
@pes10k that would be nice - but like you're saying, it would make implementation more difficult
How is WebUSB being disabled now? I didn't see it in app/brave_main_delegate.cc
Actually, surprise(!), It looks like its no longer disabled in Brave. This was a surprise to me. I'm no longer sure why we're behaving different than Chromium here. Maybe it'd be best to ask other brave core folks and circle back then?
@lachlansleight per the last comment it looks like navigator.usb is not disabled. Can you retest with our latest as well Brave 1.16.68
Yeah it totally works now, interesting! I wonder what changed...
Terrific! Thanks for letting us know @lachlansleight !
So users can be tracked based on USB devices now?
@kungfooman , no, that is not correct. Web sites cannot access or learn about your USB devices unless you grant the site permission. That permission has the same lifetime as other forms of first party storage sites already have access to (localStorage, first party cookies, etc), and access to USB devices is cleared at the same time you clear other types of storage.
One thing we might consider doing is removing or randomizing the serial number from USB devices you've given a page access to. That'd invite some webcompat risk, but is probably doable. Its just npt a very high priority (given the other privacy risks we're trying to address) at the moment since sites cant use that serial number to identify you until after you've given the site permission to access your USB device (and the number of sites that try to access a USB device is extremely small, and the number of sites users will grant USB access on is smaller still).
That said, itd be a good thing to do when time permits, and I'll create an issue to track it
Description
The Gamepad API is for detecting connected video game controllers like joysticks, Xbox/Playstation controllers, etc. The way it's meant to work in chrome is you call navigator.getGamepads(), and an array of connected gamepads is returned. Note that the intended behaviour is that no gamepads are returned until they've received at least one input event since the page was loaded.
Steps to Reproduce
Create the following javascript code, set to run once the page has finished loading:
Expected result:
Console output should look like this
Console output should look something like this (confirmed working in Chrome 85.0.4183.102):
Until a button is pushed or axis is changed on a connected joystick, at which point the following output is generated:
Actual result:
Console output just continues to stay as
No gamepads connected
, indicating that navigator.getGampepads is not finding the connected gamepadReproduces how often:
Easily reproduced
Brave version (brave://version info)
Version/Channel Information:
Other Additional Information:
Miscellaneous Information: