Native client and a few problems

[Marek33]

Why is the Native Client re-enabled, in the latest release?

Also, why is the headers.sec-ch-ua.name and headers.sec-ch-ua-mobile.name enabled? It can be disabled with a simple command line, but it seems like some spyware feature from the original Google Chrome --disable-features=UserAgentClientHint

[jengelh]

Why is the Native Client re-enabled, in the latest release?

What makes you believe NaCl is enabled?

some spyware

No, just overeager web developers. I added a commit to disable it.

[Marek33]

Why is the Native Client re-enabled, in the latest release?

What makes you believe NaCl is enabled?

Because it says on multiple websites, like amiunique, coveryourtracks.eff.org or privacy.net/analyzer.

some spyware

No, just overeager web developers. I added a commit to disable it.

It isn't considered a spyware for most, but since it can be used for way better tracking, then it should be considered, and I hope it will be removed soon.

Also, it seems that there is no FLoC protection, since the https://amifloced.org/ says, that I can be FLoCed. My mistake, I forgot, that I had one extension, which changes User-agent, and that was the reason, why the Iridium said that.

BTW: Please check the older issue, which mentions, some flags, which either are in Ungoogled, and hopefully can be ported, with Eloston permission, or can be made, since the other method no longer works with the 91 version https://github.com/iridium-browser/tracker/issues/312

[Marek33]

Thanks for removing the Native Client! Thou, the headers.sec-ch-ua.name and headers.sec-ch-ua-mobile.name are not cleared so, I hope it will be in the next version.

[tyjman]

This is still an issue. It enables a malicious server to set an Accept-CH: Sec-CH-UA-Platform-Version response header which Iridium by default will adhere to and send back its platform version to the server. On Linux this is the kernel version, on macOS it's the specific release of macOS version number. This information can be used either to run exploits targeting those specific versions, or used for fingerprinting/surveillance.

I think it should be off by default, not even default Firefox replies to this header.

[Marek33]

This is still an issue. It enables a malicious server to set an Accept-CH: Sec-CH-UA-Platform-Version response header which Iridium by default will adhere to and send back its platform version to the server. On Linux this is the kernel version, on macOS it's the specific release of macOS version number. This information can be used either to run exploits targeting those specific versions, or used for fingerprinting/surveillance.

I think it should be off by default, not even default Firefox replies to this header.

This isn't the first time, when I reported it: https://github.com/iridium-browser/tracker/issues/304, but since it doesn't support Windows 7 anymore, I don't care.

However, I would highly recommend that you, if you use Win10/Win11, to use Ungoogled, which is an excellent browser, or Supermium for older Windows versions, in which you can fully disable referrers.

[tyjman]

@Marek33 I don't use Win1X because it's spyware and I don't use Iridium either since their security updates are way too late (as of writing their released version is 119 and chrome patched several high risk CVEs in 120). I was curious if they blocked these and that's how I found this issue. Just wanted to chime in to remind everyone it's still an issue.

[Marek33]

@tyjman Good thinking! Every Windows after 7 is spyware.

Yes, and that's why the Ungoogled and Supermium are better options.

[jengelh]

Windows with 116:

Linux with 120:

There has been a long-time commit that disabled NaCl (id shifting over time, but e.g. 73cab21a46a74ef8a90e05a8bb2e2d7b408a74cf )