search

brave / browser-laptop

[DEPRECATED] Please see https://github.com/brave/brave-browser for the current version of Brave
https://www.brave.com
Other
7.94k stars 974 forks source link

Block getClientRects fingerprinting method #11294

Open nyancat18 opened 6 years ago

nyancat18 commented 6 years ago

https://browserleaks.com/rects#further-reading

luixxiul commented 6 years ago

CC @diracdeltas

diracdeltas commented 6 years ago

@psnyde2 / @snyderp do you happen to have stats on this?

nyancat18 commented 6 years ago

sorry for be offensive

but please remember the fact that the iframe is sandboxed

if your dont consider this you got this (scriptsafe and chromium) ss.js:672 Blocked script execution in 'https://browserleaks.com/rects/iframe' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.

psnyde2 commented 6 years ago

@diracdeltas Yep, sure do.

For Element.prototype.getClientRects (in the "CSS Object Model (CSSOM)" standard) we saw 1064 sites (10.9%) in the Alexa 10k using the method, which goes down to 49 (.5%) when Ghostery is in place.

For Range.prototype.getClientRects (in the "Traversal and Range" part of the DOM 2 standard) we saw 16 sites using it by default, dropping to 3 sites using with Ghostery installed.