Disable tracking through push notifications

[nchv]

Based on comment from article about Firefox price tracking feature:

user_pref("dom.push.connection.enabled", false);
user_pref("dom.push.enabled", false);
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);

[intika]

user_pref("dom.push.connection.enabled", false);
user_pref("dom.push.enabled", false);

This is not needed as it rely on the 2 second one

user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);

An this is not needed either as it rely on permissions.default.desktop-notification which is set to always ask by default.

So unless the used allow the site to gain access it not useful to break notification feature

[intika]

permissions.default.desktop-notification could be set to 2 to automatically deny access without enforcing all those settings

[Thorin-Oakenpants]

Permissions API can leak default states adding to FP'ing. It is better to leave camera, mic, location, notifications all at default ask (and for any regular site that really causes prompt fatigue for an end-user, they can use a site permission override)

[intika]

Yes indeed default state is leaked, but we want to to be less unique possible for fingerprinting following the new resistFingerprinting... i guess blocking completely notification is a state in it self so its the same at the end of the day.

[intika]

https://www.bennish.net/web-notifications.html

[nchv]

Permissions API can leak default states adding to FP'ing

Is that possible with javascript.enabled=false?

https://www.bennish.net/web-notifications.html

It's quite ironic that you shared a link to a page with tracking script on it :)

[intika]

apparently it is not without js

[Thorin-Oakenpants]

I'm not 100% sure, but push notifications require workers (or service workers). I wouldn't mind clarifying that point for my sanity. Yup, it requires JS.

from here

as of FF64 the permissions API itself only supports geolocation, notifications/push and persistent-storage.

1-liner for the Permissions API to query all permissions currently listed at https://developer.mozilla.org/en-US/docs/Web/API/Permissions/query:

for (const a of [ 'accelerometer', 'accessibility-events', 'ambient-light-sensor', 'background-sync', 'camera', 'clipboard-read', 'clipboard-write', 'geolocation', 'gyroscope', 'magnetometer', 'microphone', 'midi', 'notifications', 'payment-handler', 'persistent-storage', 'push' ]) navigator.permissions.query({name:a}).then(e => console.log("permission for", a, ":", e.state)).catch(console.log);

Don't run it on a privileged page ;)

camera and mic permissions are probably queryable but would need certain prefs enabled like media.navigator.enabled

and here's a pretty picture

If you deviate from default "ask", then a script could detect that, as it wouldn't be "prompt" - it would be "block" or "allow". That said, I doubt anyone uses this for FP'ing, as it could vary from site to site per user.

[nchv]

Interesting.
Testing with TBB I get the same output.
Testing with ungoogled-chromium (where I have disabled all except sound in chrome://settings/content) I get:

TypeError: Failed to execute 'query' on 'Permissions': GenericSensor flag is not enabled.
    at <anonymous>:1:306
TypeError: Failed to execute 'query' on 'Permissions': Accessibility Object Model is not enabled.
    at <anonymous>:1:306
3TypeError: Failed to execute 'query' on 'Permissions': GenericSensor flag is not enabled.
    at <anonymous>:1:306
TypeError: Failed to execute 'query' on 'Permissions': The provided value 'persistent-storage' is not a valid enum value of type PermissionName.
    at <anonymous>:1:306
DOMException: Failed to execute 'query' on 'Permissions': Push Permission without userVisibleOnly:true isn't supported yet.
    at <anonymous>:1:306
Promise {<resolved>: undefined}
VM76:1 permission for background-sync : denied
VM76:1 permission for camera : granted
VM76:1 permission for clipboard-read : denied
VM76:1 permission for clipboard-write : granted
VM76:1 permission for geolocation : denied
VM76:1 permission for microphone : granted
VM76:1 permission for midi : granted
VM76:1 permission for notifications : denied
VM76:1 permission for payment-handler : denied

I wonder where the "granted" comes from and whether it is some kind of bug in chrome itself (assuming that the testing method is right).