Hide web accessible resources from websites #258
Conversation
With Chromium-based browsers, web pages can access directly Decentraleyes' web accessible resources, and thus detect whether Decentraleyes is used by a visitor. This potentially adds one bit of information to fingerprinting. See: "Discovering Browser Extensions via Web Accessible Resources" www.cse.chalmers.se/~andrei/codaspy17.pdf Proof-of-concept: https://jsfiddle.net/fuqrudcs/ The change here is to use a secret when accessing a web accessible resource. If the secret is not present when the resource is fetched by the browser, the behavior will be the same as if the resource is not web accessible. When Decentraleyes redirects a request to one of its web accessible resources, the secret is appended at the end of the local URL as a query parameter. The secret is generated at runtime when Decentraleyes is launched.
|
Note: I noticed that you do not filter by request type for the onBeforeRequest listener responsible for redirection. Is there a reason for not listening only to requests of type With the change here, the solution would be worse than the problem it's trying to solve because the secret token would leak to the outside world if a request of type |
Synzvato
changed the title
|
@gorhill |
|
Pardon tad off topic: could uMatrix and/or Decentraleyes have up to date list available of resources that are local by Decentraleyes - meaning the list - if possible - be within reach in uMatrix? In a tab? Maybe just a thick in the tab and Decentras list would appear right so in uMx's rules table? In return also Decentra could - if possible - have a tab(?) - shining light towards uMatrix and how these two exts (not forgetting uBo) are perfect match! <3 Could that type of ~ or similar ~ serve the privacy community in best interest? Might as well add also this: I'm interested if a bunch of ext devs could get together and would engage to use those libraries through Decentra rather than packing them local or cloud. This is a much of granular before if could get going. It's also possible to reach Chromium/etc devs with requests in mind. |
|
Hi @gorhill, and many thanks for contributing your solution.
I have been planning to take this approach ever since I read this related comment of yours. So, it was actually quite nice to see this land as a CSP Vulnerability PoC: https://decentraleyes.org/proof-of-concepts/f1f0c9c0791b3d3b/
Those who enable "Block requests for missing resources", commonly expect requests for unsupported resources (such as fonts and style sheets) to be blocked as well. So, this choice was made to prevent any confusion in that respect. That said, handling all request types (including So, ignoring requests of type Test Breakage PoC: https://decentraleyes.org/proof-of-concepts/514ef21c8eac1ece/
Unless there are any solid reasons to stick to
@EC-O-DE This is off-topic indeed. Feel free to add any additional details to issue #235, instead. |
With Chromium-based browsers, web pages can access directly
Decentraleyes' web accessible resources, and thus detect
whether Decentraleyes is used by a visitor.
This potentially adds one bit of information to fingerprinting.
See: "Discovering Browser Extensions via Web Accessible Resources"
www.cse.chalmers.se/~andrei/codaspy17.pdf
Proof-of-concept: https://jsfiddle.net/fuqrudcs/
The change here is to use a secret when accessing a web accessible
resource. If the secret is not present when the resource is fetched
by the browser, the behavior will be the same as if the resource
is not web accessible.
When Decentraleyes redirects a request to one of its web
accessible resources, the secret is appended at the end of the
local URL as a query parameter.
The secret is generated at runtime when Decentraleyes is launched.