Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

fingerprinting screen coordinates

See original GitHub issue

Description

Most browsers leak information about the user’s display outside the content viewport, including screen width and height, the position of a browser window in the screen, and the difference between viewport and window dimensions. This information constitutes a fingerprinting vectors that is exposed to content JS and CSS. APIs that leak this information include:

window.screen object leaks information about the screen size:

  • window.screen.width
  • window.screen.height
  • window.screen.availWidth
  • window.screen.availHeight
  • window.screen.availLeft
  • window.screen.availTop
  • window.screen.isExtended (leaks whether the user has multiple monitors)

Media queries also leak screen dimensions:

  • device-width
  • device-height

window properties leak absolute coordinates of the position and outer boundary of the browser window:

  • window.screenX
  • window.screenY
  • window.outerWidth
  • window.outerHeight

Pointing event screen coordinates (MouseEvent, TouchEvent, DragEvent, PointerEvent) can also be used to computed the window’s position on the screen:

  • event.screenX
  • event.screenY

We want to hide this information from visited websites. The plan is to farble all of these APIs, meaning we spoof the values and also add a domain/session-keyed pseudorandom component to each of them.

We plan to enable the protection under standard (default) and aggressive fingerprinting modes, so that the user can disable them by lowering shields or setting “allow fingerprinting”. In addition, we bind the protections to a flag so that they can be remotely disabled using griffin.

Steps to Reproduce

Visit https://arthuredelstein.github.io/tracking_demos/screen.html to see how screen size is revealed.

Actual result:

Example: image

Also: image

Desired result:

Content should not be given true information about screen dimensions or window position.

Reproduces how often:

Always

Brave version:

All versions

Issue Analytics

  • State:closed
  • Created a year ago
  • Reactions:4
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
MadhaviSeelamcommented, Oct 17, 2022

Verification PASSED using

Brave | 1.45.84 Chromium: 106.0.5249.91 (Official Build) beta (64-bit)
-- | --
Revision | fa96d5f07b1177d1bf5009f647a5b8c629762157-refs/branch-heads/5249@{#707}
OS | Windows 11 Version 21H2 (Build 22000.978)

Case 1: 1st launch, no Griffin - PASSED

Steps:

  1. installed 1.45.85
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
  6. clicked on Generate fingerprints
  7. confirmed the This Page, Local Frame, and Remote Frame values were the same for each of the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
  2. moved the mouse around and examined the tracked events

Confirmed there was no farbling of the screen/window coordinates shown in the screenshot

step 3 step 5 step 8
image image image

Case 2: 2nd launch, Griffin-enabled study (50%) with Shields enabled- PASSED

(Continued from 1st launch, no Griffin test, above) 10. restarted Brave 11. opened brave://version 12. confirmed in the 50%-chance case you get BraveScreenFingerprintingBlockerStudy:Enabled 13. loaded https://dev-pages.brave.software/fingerprinting/farbling.html 14. clicked on Generate fingerprints 16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html 17. moved the mouse around and examined the tracked coordinates

Confirmed the values for This Page were different from Local Frame and Remote Frame (which were both the same); the only four (4) trackable events were the mouseEvent.client(X/Y) coordinates

step 11-12 step 13 step 16
image image image

Case 3: 2nd launch, Griffin-enabled study (50%) with Shields disabled- PASSED

  1. continued from Case 2
  2. disable Shields in the Shields panel
  3. reload the https://dev-pages.brave.software/fingerprinting/farbling.html
  4. clicked on Generate fingerprints
  5. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
  6. moved the mouse around and examined the tracked coordinates
brave://version shields down` farbling.html screen.html
image image image image

Confirmed all values were the same; no farbling was applied

Case 4: 3rd launch, default/no study (50%) - PASSED

(Continued from 1st launch, no Griffin test, above) 10. restarted Brave 12. opened brave://version 13. confirmed in the other 50%-chance case I got BraveScreenFingerprintingBlockerStudy:Default 14. loaded https://dev-pages.brave.software/fingerprinting/farbling.html 15. clicked on Generate fingerprints 16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html 17. moved the mouse around and examined the tracked coordinates

Confirmed all values were the same; no farbling was applied

step 11 step 13 step 15
image image image

Verification passed on

Brave 1.45.90 Chromium: 106.0.5249.103 (Official Build) beta (64-bit)
Revision 182570408a1f25ab2731ef5f283b918df9b9f956-refs/branch-heads/5249_91@{#6}
OS Ubuntu 18.04 LTS

Case 1: 1st launch, no Griffin - PASSED

Steps:

  1. installed 1.45.x
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
  6. clicked on Generate fingerprints
  7. confirmed the This Page, Local Frame, and Remote Frame values were the same for each of the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
  2. moved the mouse around and examined the tracked events

Confirmed there was no farbling of the screen/window coordinates shown in the screenshot

image image image

Case 2: 2nd launch, Griffin-enabled study (50%) with Shields enabled- PASSED

(Continued from 1st launch, no Griffin test, above) 10. restarted Brave 11. opened brave://version 12. confirmed in the 50%-chance case you get BraveScreenFingerprintingBlockerStudy:Enabled 13. loaded https://dev-pages.brave.software/fingerprinting/farbling.html 14. clicked on Generate fingerprints 16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html 17. moved the mouse around and examined the tracked coordinates

Confirmed the values for This Page were different from Local Frame and Remote Frame (which were both the same); the only four (4) trackable events were the mouseEvent.client(X/Y) coordinates

image image image

Case 3: 2nd launch, Griffin-enabled study (50%) with Shields disabled- PASSED

  1. continued from Case 2
  2. disable Shields in the Shields panel
  3. reload the https://dev-pages.brave.software/fingerprinting/farbling.html
  4. clicked on Generate fingerprints
  5. loaded https://arthuredelstein.github.io/tracking_demos/screen.html
  6. moved the mouse around and examined the tracked coordinates

image image image

Confirmed all values were the same; no farbling was applied

Case 4: 3rd launch, default/no study (50%) - PASSED

(Continued from 1st launch, no Griffin test, above) 10. restarted Brave 12. opened brave://version 13. confirmed in the other 50%-chance case I got BraveScreenFingerprintingBlockerStudy:Default 14. loaded https://dev-pages.brave.software/fingerprinting/farbling.html 15. clicked on Generate fingerprints 16. loaded https://arthuredelstein.github.io/tracking_demos/screen.html 17. moved the mouse around and examined the tracked coordinates

Confirmed all values were the same; no farbling was applied

0reactions
kjozwiakcommented, Oct 24, 2022

Because BraveScreenFingerprintingBlockerStudy hasn’t been rolled out via the release channel, verification on Android was done by enabling brave://flags#brave-block-screen-fingerprinting to ensure the feature was working as expected.

Verification PASSED on Samsung S10+ running Android 12 using the following build(s):

Brave | 1.45.111 Chromium: 107.0.5304.62 (Official Build) (32-bit)
--- | ---
Revision | 1eec40d3a5764881c92085aaee66d25075c159aa-refs/branch-heads/5304@{#942}
OS | Android 12; Build/SP1A.210812.016

Case 1: BraveBlockScreenFingerprinting disabled - PASSED

  1. installed 1.45.111 Chromium: 107.0.5304.62
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
  6. clicked on Generate fingerprints
  7. confirmed the This Page, Local Frame, and Remote Frame values were the same for each of the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. loaded https://arthuredelstein.github.io/tracking_demos/screen.html

Initial values before restarting the browser

Example Example
Screenshot_20221024-121700_Brave Screenshot_20221024-121746_Brave

Confirmed there was no farbling of the screen/window coordinates shown after the browser was restarted

Example Example
Screenshot_20221024-121819_Brave Screenshot_20221024-121829_Brave

Case 2: BraveBlockScreenFingerprinting enabled - Shields Enabled - PASSED

  1. installed 1.45.111 Chromium: 107.0.5304.62
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. enable brave://flags#brave-block-screen-fingerprinting via brave://flags
  6. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
  7. clicked on Generate fingerprints
  8. note the This Page, Local Frame, and Remote Frame values for the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. load https://arthuredelstein.github.io/tracking_demos/screen.html and note the values being used
  2. restart the browser and loadhttps://dev-pages.brave.software/fingerprinting/farbling.html & https://arthuredelstein.github.io/tracking_demos/screen.html
  3. note that the values should be different from the first time as Block Screen Fingerprinting has been enabled

Initial values before restarting the browser

Example Example
Screenshot_20221024-131453_Brave Screenshot_20221024-131508_Brave

Confirmed that the values are different due to FP farbling

Example Example
Screenshot_20221024-131525_Brave Screenshot_20221024-131534_Brave

Case 3: BraveBlockScreenFingerprinting enabled - Shields Disabled - PASSED

  1. installed 1.45.111 Chromium: 107.0.5304.62
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. enable brave://flags#brave-block-screen-fingerprinting via brave://flags
  6. loaded https://dev-pages.brave.software/fingerprinting/farbling.html and disabled shields
  7. clicked on Generate fingerprints
  8. note the This Page, Local Frame, and Remote Frame values for the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. load https://arthuredelstein.github.io/tracking_demos/screen.html and note the values being used (disabled shields)
  2. restart the browser and loadhttps://dev-pages.brave.software/fingerprinting/farbling.html & https://arthuredelstein.github.io/tracking_demos/screen.html
  3. note that the values should be the same due to Brave Shields being disabled on both websites
  4. enable Brave Shields on both loadhttps://dev-pages.brave.software/fingerprinting/farbling.html & https://arthuredelstein.github.io/tracking_demos/screen.html
  5. note that the values should now be different as Brave Shields are enabled and FB farbling is occurring

Initial values before restarting the browser (Shields Disabled)

Example Example
Screenshot_20221024-132256_Brave Screenshot_20221024-132302_Brave

Confirmed there was no farbling of the screen/window coordinates shown after the browser was restarted

Example Example
Screenshot_20221024-132319_Brave Screenshot_20221024-132330_Brave

Confirmed that the values are different due to FP farbling (Shields Enabled)

Example Example
Screenshot_20221024-132632_Brave Screenshot_20221024-132650_Brave

Because BraveScreenFingerprintingBlockerStudy hasn’t been rolled out via the release channel, verification on Android was done by enabling brave://flags#brave-block-screen-fingerprinting to ensure the feature was working as expected.

Verification PASSED on Samsung Tab S8 Ultra running Android 12 using the following build(s):

Brave | 1.45.111 Chromium: 107.0.5304.62 (Official Build) (32-bit)
--- | ---
Revision | 1eec40d3a5764881c92085aaee66d25075c159aa-refs/branch-heads/5304@{#942}
OS | Android 12; Build/SP2A.220305.013

Case 1: BraveBlockScreenFingerprinting disabled - PASSED

  1. installed 1.45.111 Chromium: 107.0.5304.62
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
  6. clicked on Generate fingerprints
  7. confirmed the This Page, Local Frame, and Remote Frame values were the same for each of the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. loaded https://arthuredelstein.github.io/tracking_demos/screen.html

Initial values before restarting the browser

Example Example
Screenshot_20221024_133435_Brave Screenshot_20221024_133444_Brave

Confirmed there was no farbling of the screen/window coordinates shown after the browser was restarted

Example Example
Screenshot_20221024_133501_Brave Screenshot_20221024_133508_Brave

Case 2: BraveBlockScreenFingerprinting enabled - Shields Enabled - PASSED

  1. installed 1.45.111 Chromium: 107.0.5304.62
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. enable brave://flags#brave-block-screen-fingerprinting via brave://flags
  6. loaded https://dev-pages.brave.software/fingerprinting/farbling.html
  7. clicked on Generate fingerprints
  8. note the This Page, Local Frame, and Remote Frame values for the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. load https://arthuredelstein.github.io/tracking_demos/screen.html and note the values being used
  2. restart the browser and loadhttps://dev-pages.brave.software/fingerprinting/farbling.html & https://arthuredelstein.github.io/tracking_demos/screen.html
  3. note that the values should be different from the first time as Block Screen Fingerprinting has been enabled

Initial values before restarting the browser

Example Example
Screenshot_20221024_135731_Brave Screenshot_20221024_135736_Brave

Confirmed that the values are different due to FP farbling

Example Example
Screenshot_20221024_135750_Brave Screenshot_20221024_135758_Brave

Case 3: BraveBlockScreenFingerprinting enabled - Shields Disabled - PASSED

  1. installed 1.45.111 Chromium: 107.0.5304.62
  2. launched Brave
  3. opened brave://version
  4. confirmed no Griffin studies listed
  5. enable brave://flags#brave-block-screen-fingerprinting via brave://flags
  6. loaded https://dev-pages.brave.software/fingerprinting/farbling.html and disabled shields
  7. clicked on Generate fingerprints
  8. note the This Page, Local Frame, and Remote Frame values for the following:
  • Screen resolution
  • Screen resolution media query
  • Available screen resolution
  1. load https://arthuredelstein.github.io/tracking_demos/screen.html and note the values being used (disabled shields)
  2. restart the browser and loadhttps://dev-pages.brave.software/fingerprinting/farbling.html & https://arthuredelstein.github.io/tracking_demos/screen.html
  3. note that the values should be the same due to Brave Shields being disabled on both websites
  4. enable Brave Shields on both loadhttps://dev-pages.brave.software/fingerprinting/farbling.html & https://arthuredelstein.github.io/tracking_demos/screen.html
  5. note that the values should now be different as Brave Shields are enabled and FB farbling is occurring

Initial values before restarting the browser (Shields Disabled)

Example Example
Screenshot_20221024_140239_Brave Screenshot_20221024_140246_Brave

Confirmed there was no farbling of the screen/window coordinates shown after the browser was restarted

Example Example
Screenshot_20221024_140307_Brave Screenshot_20221024_140312_Brave

Confirmed that the values are different due to FP farbling (Shields Enabled)

Example Example
Screenshot_20221024_140326_Brave Screenshot_20221024_140333_Brave
Read more comments on GitHub >

github_iconTop Results From Across the Web

Location fingerprinting - what is it, and should you choose it as ...
Fingerprinting is a common indoor positioning technology to determine a user's position. The technique relies on signal strength data, called " ...
Read more >
Practical Fingerprinting Localization for Indoor Positioning ...
The proposed localization uses BLE beacon-based fingerprinting, where the RSSI of beacons at the predetermined location and the location ...
Read more >
Fingerprint sensor location in the middle of the screen or on ...
Hi everybody I think that the fingerprint sensor should be placed in the middle of the screen. Many of the renders we have...
Read more >
5 elements of your browser fingerprint you need to know
At Multilogin we talk a lot about your browser fingerprint and its ... of your true browser fingerprint, including your user agent, screen...
Read more >
Fingerprinting Explained: How It Works & How To Block It
Fingerprinting is a tracking technique that advertisers and ... The screen below shows your fingerprint and the metrics gathered from your ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

Release Channel 1.45.113
Read More >

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Blob downloads failing on https://material-foundation.github.io/material-theme-builder/#/custom

Next page

Add ability to debounce URLs based on a regex applied to the path