Client Hints API is not disabled

[alexsteinh]

Description

The Client Hints API, both JS and headers, is active and leaks fingerprintable information. I would expect, especially when opting in for aggressive fingerprint resistance, that for example my exact OS version would not be reported.

Steps to Reproduce

1. Visit https://browserleaks.com/client-hints
2. See leaked information

Actual result:

Expected result:

Disabled API or no results (like in Firefox)

Reproduces how often:

Default browser behaviour

Brave version (brave://version info)

1.60.125 Chromium: 119.0.6045.199 (Official Build) (arm64) 9c1f9e267d7ef50aefbe434e616e05290536926b macOS Version 14.1.1 (Build 23B81)

Version/Channel Information:

• Can you reproduce this issue with the current release? Yes
• Can you reproduce this issue with the beta channel? Not tested
• Can you reproduce this issue with the nightly channel? Yes

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? No
• Does the issue resolve itself when disabling Brave Rewards? No
• Is the issue reproducible on the latest version of Chrome? Yes, but that's wanted in Chrome.

[ShivanKaul]

We do allow some Client Hints if they're exposed elsewhere for webcompat reasons: https://github.com/brave/brave-core/pull/14155. If you disable brave://flags/#allow-certain-client-hints the HTTP headers should go away. I believe we've kept the few JS API ones also for webcompat reasons. FF reveals the same information in other ways, FWIW.

[alexsteinh]

First of all, thank you for answering!

I see the argument that https://github.com/brave/brave-core/pull/14155 makes, but that would only be true if the UA actually revealed detailed information.

Brave currently defaults to the following on macOS machines:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

This UA doesn't reveal that I'm on an ARM64 machine, nor does it report my exact OS version, which the client hints API does. I understand that it's difficult to change Chromium's behaviour, but imo the client hints API is leaking data that would not be visible or retrievable without it, and I find this concerning. Of course, if the Client Hints API were to reuse the UA, this would not be a problem at all.

Also, how does FF leak such information? I'm not familiar with browser tech in depth, but is there another way besides through headers or JS?

[ShivanKaul]

I see the argument that https://github.com/brave/brave-core/pull/14155 makes, but that would only be true if the UA actually revealed detailed information.

That is correct, but as mentioned, this extra detail is exposed to unbreak websites for Brave users. Duo, for example, but there were others.

Also, how does FF leak such information? I'm not familiar with browser tech in depth, but is there another way besides through headers or JS?

Via WebGL, for one. Here's an example on FF (gives different result on Chromium):

const canvas = document.createElement('canvas');
const gl = canvas.getContext('webgl');
console.log(gl.getParameter(gl.RENDERER));

There's also WEBGL_debug_renderer_info though I believe that's now deprecated.

Anyway, 100% agreed that we should not be revealing this information but unfortunately we also want users to be able to use Brave for widely-used websites, so we have to make hard trade-offs such as the one you're pointing out.

[dropwhile]

@ShivanKaul Would returning only the major OS version, or some generic OS version similar to what the http user agent uses (eg for macos 10.15.7) be feasible? I imagine that would reduce fingerprinting quite a bit.

EDIT: Reading the due issue referenced, seems like it would not solve that case, but it is concerning that a few sites are forcing a privacy downgrade (fingerprinting, leaking OS version, etc) for all users.

EDIT2: Maybe providing a way (via ://flags) to disable the javascript hints api would be possible? Safari and Firefox both report having it disabled.