Open Unknown78 opened 2 years ago
This is "by design" - the Ruffle extension "polyfills" the original Flash plugin, which requires it to be able to fool Flash detection scripts. Many Flash websites use Flash detection JavaScript code that checks the navigator.plugins
property to see if the plugin is actually available. If Ruffle didn't add this entry to navigator.plugins
, many Flash websites would display a "get Flash Player" message instead the Flash content, even with Ruffle enabled.
JavaScript fingerprinting techniques are not applicable to the Ruffle desktop app because Ruffle (and Flash) does not run JavaScript. Flash does have its own similar APIs such as System.capabilities that Ruffle hasn't really implemented yet. I assume fingerprinting concerns will be considered when implementing them in Ruffle.
@n0samu
But why the whole list of plugins got leaked? Wouldn't just one plugin of ruffle shall suffice in that list?
Could we spoof the filename of ruffle.js to default old adobe file name for example?
application/x-shockwave-flash2-preview
and application/vnd.adobe.flash.movie
) so that might be something for us to think about removing. I'm not sure if they were registered by previous Flash plugin versions though.constant filename 👍
Device or Browser Fingerprints has became major privacy issues to end users.
Assume that
Play Flash content in Ruffle
option is enabled.If we open: https://browserleaks.com/flash We could see the version of
Shockwave Flash 32.0 r0
' and file name ofruffle.js
Is there any way for Ruffle to spoof it?
If we open: https://coveryourtracks.eff.org or https://amiunique.org/fp The whole list of plugins got leaked,
Plugin 0: Chrome PDF Plugin; Portable Document Format; internal-pdf-viewer; (Portable Document Format; application/x-google-chrome-pdf; pdf). Plugin 1: Chrome PDF Viewer; ; mhjfbmdgcfjbbpaeojofohoefgiehjai; (; application/pdf; pdf). Plugin 2: Native Client; ; internal-nacl-plugin; (Native Client Executable; application/x-nacl; ) (Portable Native Client Executable; application/x-pnacl; ). Plugin 3: Shockwave Flash; Shockwave Flash 32.0 r0; ruffle.js; (Shockwave Flash; application/futuresplash; spl) (Shockwave Flash; application/x-shockwave-flash; swf) (Shockwave Flash; application/x-shockwave-flash2-preview; swf) (Shockwave Flash; application/vnd.adobe.flash.movie; swf). Plugin 4: Shockwave Flash; Shockwave Flash 32.0 r0; ruffle.js; (Shockwave Flash; application/futuresplash; spl) (Shockwave Flash; application/x-shockwave-flash; swf) (Shockwave Flash; application/x-shockwave-flash2-preview; swf) (Shockwave Flash; application/vnd.adobe.flash.movie; swf).
Why does the whole list of plugins get leaked on those sites when we enable the play flash content option?
I've only tested the web build as Chrome extension. I don't understand how desktop build might be affected by fingerprint or not by the flash apps that may connect to the internet.