ungoogled-software / ungoogled-chromium-portablelinux

Portable Linux packaging for ungoogled-chromium
96 stars 30 forks source link

Sites stopped working. #145

Closed h4ckee closed 1 year ago

h4ckee commented 1 year ago

Hi Guys. A few releases ago, I ran into a problem on a couple of sites that were working earlier. I have tested them with other browsers (thorium and firefox) and there they work as expected.

  1. When I try to login https://aliexpress.ru a window pops up saying: "Sorry, we have detected unusual traffic from your network. Please slide to verify." It doesn't matter how many times you slide the button it reappears again and again.
  2. When I try to login https://lk.mts.ru, site says:

403 Error Forbidden Access to login.mts.ru is forbidden. Try accessing the site login.mts.ru later or contact administration of the site.

Version 116.0.5845.96 (Official Build, ungoogled-chromium) AXE (64-bit) Best regards.

PF4Public commented 1 year ago

116.0.5845.96 (Official Build, ungoogled-chromium) AXE (64-bit)

You should file this issue where you've downloaded this binary. It doesn't look like any of ours.

PF4Public commented 1 year ago

Since @clickot archived https://github.com/clickot/ungoogled-chromium-build, I'll write here.

I could reproduce this issue exactly with https://github.com/clickot/ungoogled-chromium-binaries/releases/download/116.0.5845.96-1/ungoogled-chromium_116.0.5845.96-1.1_linux.tar.xz

The problem is curious in that I could not reproduce it on my ungoogled-chromium binary.

The problem lies in web protection those websites apparently employing. They calculate some values and POST them (very much like Cloudflare does it). With my binary receiving a redirect, while portable binary gets 403.

The only difference between binaries I could think of was me using bromite/cromite patches, but I have another binary which is a clean ungoogled-chromium (also built by myself). I couldn't reproduce this issue there as well.

Not sure if we could debug this issue further, just an FYI for @h4ckee and @clickot

EDIT: I could reproduce this issue on my other binaries: https://github.com/PF4Public/ungoogled-chromium-bin/releases. Which makes it even more curious.

h4ckee commented 1 year ago

Yes, you're right. When I inspected request and response headers from those sites on ungoogled-chromium and thorium browsers, I noticed that sites behaved differently each time i try to login, though request headers were almost the same.

PF4Public commented 1 year ago

I suspect this might be related to fingerprinting patches. Fingerprinting is probably what they do. It seems to coincide with https://github.com/ungoogled-software/ungoogled-chromium/issues/2389. I just double checked and indeed those binaries which are unaffected have fingerprinting patches replaced by bromite/cromite ones (I initially mistakenly stated that they are clean built).

This seems to be plausible since https://abrahamjuliot.github.io/creepjs/tests/domrect.html detects same "lies" for any ungoogled-chromium (but not for cromite), which might trigger those web protections as "automated browsing", which in turn results in 403 error.

h4ckee commented 1 year ago

But when I disable/enable --fingerprinting-canvas-image-data-noise --fingerprinting-canvas-measuretext-noise --fingerprinting-client-rects-noise nothing actually changes for me.

PF4Public commented 1 year ago

Could be something else entirely 🤷🏻

clickot commented 1 year ago

at least my suspicion that this has nothing to do with my build seems to be confirmed :-)