Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable tracking through push notifications #1

Closed
nchv opened this issue Nov 20, 2018 · 9 comments
Closed

Disable tracking through push notifications #1

nchv opened this issue Nov 20, 2018 · 9 comments

Comments

@nchv
Copy link

nchv commented Nov 20, 2018

Based on comment from article about Firefox price tracking feature:

user_pref("dom.push.connection.enabled", false);
user_pref("dom.push.enabled", false);
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);
@intika
Copy link
Owner

intika commented Nov 20, 2018

user_pref("dom.push.connection.enabled", false);
user_pref("dom.push.enabled", false);

This is not needed as it rely on the 2 second one

user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);

An this is not needed either as it rely on permissions.default.desktop-notification which is set to always ask by default.

So unless the used allow the site to gain access it not useful to break notification feature

@intika intika closed this as completed Nov 20, 2018
@intika
Copy link
Owner

intika commented Nov 20, 2018

permissions.default.desktop-notification could be set to 2 to automatically deny access without enforcing all those settings

@Thorin-Oakenpants
Copy link

Permissions API can leak default states adding to FP'ing. It is better to leave camera, mic, location, notifications all at default ask (and for any regular site that really causes prompt fatigue for an end-user, they can use a site permission override)

@intika
Copy link
Owner

intika commented Nov 22, 2018

Yes indeed default state is leaked, but we want to to be less unique possible for fingerprinting following the new resistFingerprinting... i guess blocking completely notification is a state in it self so its the same at the end of the day.

@intika
Copy link
Owner

intika commented Nov 22, 2018

https://www.bennish.net/web-notifications.html

@nchv
Copy link
Author

nchv commented Nov 22, 2018

Permissions API can leak default states adding to FP'ing

Is that possible with javascript.enabled=false?

https://www.bennish.net/web-notifications.html

It's quite ironic that you shared a link to a page with tracking script on it :)

@intika
Copy link
Owner

intika commented Nov 22, 2018

apparently it is not without js

@Thorin-Oakenpants
Copy link

Thorin-Oakenpants commented Nov 22, 2018
edited
Loading

I'm not 100% sure, but push notifications require workers (or service workers). I wouldn't mind clarifying that point for my sanity. Yup, it requires JS.

from here

as of FF64 the permissions API itself only supports geolocation, notifications/push and persistent-storage.

1-liner for the Permissions API to query all permissions currently listed at https://developer.mozilla.org/en-US/docs/Web/API/Permissions/query:

for (const a of [ 'accelerometer', 'accessibility-events', 'ambient-light-sensor', 'background-sync', 'camera', 'clipboard-read', 'clipboard-write', 'geolocation', 'gyroscope', 'magnetometer', 'microphone', 'midi', 'notifications', 'payment-handler', 'persistent-storage', 'push' ]) navigator.permissions.query({name:a}).then(e => console.log("permission for", a, ":", e.state)).catch(console.log);

Don't run it on a privileged page ;)

camera and mic permissions are probably queryable but would need certain prefs enabled like media.navigator.enabled

and here's a pretty picture
meh

If you deviate from default "ask", then a script could detect that, as it wouldn't be "prompt" - it would be "block" or "allow". That said, I doubt anyone uses this for FP'ing, as it could vary from site to site per user.

@nchv
Copy link
Author

nchv commented Nov 22, 2018

Interesting.
Testing with TBB I get the same output.
Testing with ungoogled-chromium (where I have disabled all except sound in chrome://settings/content) I get:

TypeError: Failed to execute 'query' on 'Permissions': GenericSensor flag is not enabled.
    at <anonymous>:1:306
TypeError: Failed to execute 'query' on 'Permissions': Accessibility Object Model is not enabled.
    at <anonymous>:1:306
3TypeError: Failed to execute 'query' on 'Permissions': GenericSensor flag is not enabled.
    at <anonymous>:1:306
TypeError: Failed to execute 'query' on 'Permissions': The provided value 'persistent-storage' is not a valid enum value of type PermissionName.
    at <anonymous>:1:306
DOMException: Failed to execute 'query' on 'Permissions': Push Permission without userVisibleOnly:true isn't supported yet.
    at <anonymous>:1:306
Promise {<resolved>: undefined}
VM76:1 permission for background-sync : denied
VM76:1 permission for camera : granted
VM76:1 permission for clipboard-read : denied
VM76:1 permission for clipboard-write : granted
VM76:1 permission for geolocation : denied
VM76:1 permission for microphone : granted
VM76:1 permission for midi : granted
VM76:1 permission for notifications : denied
VM76:1 permission for payment-handler : denied

I wonder where the "granted" comes from and whether it is some kind of bug in chrome itself (assuming that the testing method is right).

@nchv nchv mentioned this issue Nov 22, 2018
Closed
@Atavic Atavic mentioned this issue Jan 22, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@intika @Thorin-Oakenpants @nchv