Firefox resource:// is fingerprintable

Discussion in 'privacy technology' started by maiko, Aug 10, 2016.

  1. maiko

    maiko Registered Member

    Joined:
    Aug 8, 2016
    Posts:
    3
    Location:
    EU
    Some of you you may know it's possible to fingerprint Firefox via resource:// and resource://gre , which you can test here https://www.browserleaks.com/firefox

    Well, since not long ago there exist a new add-on called No Resource URI Leak aiming at blocking that.

    https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-leak/

    However, I have been fiddling with NoScript, and found out that it seems to be able to block the resource:// read out too, so here I am sharing that with you privacy buffs. :)

    Under about:config there are 3 preferences in particular related to NoScript we can use to prevent the resource:// is fingerprinting and do some fain grained adjustments, those are:

    capability.policy.maonoscript.sites
    noscript.mandatory
    noscript.untrusted

    you would have to remove resource: from noscript.mandatory, then add

    resource:// and resource://gre to noscript.untrusted, add these 2 anywhere in the string with a space in between each one.

    When you now visit a web page that do sniff out your browser, you will see notifications under NoScript's "Ustrusted" section in the drop-down menu.

    capability.policy.maonoscript.sites is needed when you have to fine tune with some add-ons that do calls to the resoruce://, I have a few add-ons which I have no problems with, except one add-on which is Free Memory 2:

    https://addons.mozilla.org/en-US/firefox/addon/free-memory-20

    When you click on its icon and bring up the menu and hover with the mouse over the memory cleaning options, you will see in the lower left corner it calls on resource://freememory2/data
    , consequently, to make this add-on working you hava to add resource://freememory2/data to the string under capability.policy.maonoscript.sites preference.

    While fiddling with these 3 preferences, I come to ponder over some more preference values found under noscript.mandatory and capability.policy.maonoscript.sites such as:
    chrome: blob: mediasource: moz-extension: about:*
    and a few others where some doesn't exist under these preferences, such as:
    file: irc: ircs: mediastream: /favicon.ico webcal: and many more, some of these did I find in mimeTypes.rdf file under the profile folder.
    Who knows, maybe it may be possible to read out some very delicate stuff as CPU and/or GPU serial number, or some fine grained HW details of ones PC, if possible then also TBB will be in deep ****. :eek::isay::D
    Thoughts?
     
Loading...