gcarq / inox-patchset

Inox patchset tries to provide a minimal Chromium based browser with focus on privacy by disabling data transmission to Google.
BSD 2-Clause "Simplified" License
364 stars 25 forks source link

Chromium 56 issues #50

Closed nyancat18 closed 7 years ago

nyancat18 commented 7 years ago

New year, new chromium, new issues.

i give you a full report about new warnings (chromium)

webcam full access (better than webrtc) https://developers.google.com/web/updates/2016/12/imagecapture when was added: https://blog.chromium.org/2016/12/introducing-webvr-api-in-chrome-for.html

recomended: test if leaks ip, if leaks, disable it (just like webrtc), if dpesnt leak, put the warning at README (just like torify inox): put tape at webcam (laptop) or disconnect it (pc)

IOT control, [Direct access to IOT devices] https://w3c.github.io/remote-playback/ recomended: disable it (just like webrtc)

WebVR (WebGL2)

It also provides access to the user’s position and orientation, so that web apps can render a stereoscopic 3D scene to the headset's display

https://blog.chromium.org/2016/12/introducing-webvr-api-in-chrome-for.html

recomended way

easy way: disable webvr (forever/until the hard way is created), as US-CERT recomended qith webgl (lesser poweful)

www.us-cert.gov/current/index.html#web_users_warned_to_turn

hard way: use it via CTP (you MUST make click to enable), like Tor Browser

CTP = Click to play thanks and best regards for this new year

DragoonAethis commented 7 years ago

offer normal webvr features (whitenoised)

Yeah, because reporting invalid HMD position/rotation in VR is such a great idea. You can't "subtly break" this one without inherently breaking just about anything actually using WebVR.

nyancat18 commented 7 years ago

@DragoonAethis

Or use it via CTP (click to play)
Inox generates an alert (this site requires webvr)...please enable it

i've modified it (a tor browser idea about canvas fingerprint)

gcarq commented 7 years ago

Has anyone a code snippet or resource to test against Remote Playback or WebVR API. I think this needs more time to evaluate.

RemotePlayback should be asking for permissions if a device is accessed:

7.3 Device access: [...] The Remote Playback API requires user permission for a page to access any display to mitigate issues that could arise, such as showing unwanted content on a display viewable by others. [...]

however:

7.1 Personally identifiable information: Firing the callback provided via the watchAvailability() method reveals one bit of information about the presence (or non-presence) of a remote playback device typically discovered through the local area network. This could be used in conjunction with other information for fingerprinting the user. However, this information is also dependent on the user's local network context, so the risk is minimized.

Maybe this should be blocked on an extension level via adblocker.

For the ImageCapture and WebVR API we have to check how inox is affected to OriginTrials.

Eloston commented 7 years ago

ScriptSafe added the option to block WebVR in v1.0.9.0