Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[hackerone] Extend font randomization fingerprinting protections to also cover src:local

See original GitHub issue

Currently Brave allows sites to access a random subset of user fonts, to cause fingerprinters get a different fingerprint for each site, for each browser session.

However, recently researchers notified use src:local to have Chrome bypass these protections and query all installed fonts again. We should also apply our randomize font fingerprinting protections against alternative ways of accessing user fonts, like src:local

These researchers will be credited on HackerOne.

https://hackerone.com/reports/1598008

credit: xlin

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
kjozwiakcommented, Sep 22, 2022

Removed OS/Android after speaking with @pilgrim-brave & @pes10k. The above hasn’t been implemented in Android yet so there’s nothing that QA can do in terms of verification on Android.

1reaction
LaurenWagscommented, Sep 13, 2022

@pes10k to confirm - checking src:local case on that page for all platforms and then Pseudo Fonts on macOS only is sufficient?

btw - confirmed this with @pes10k 👍🏻

Read more comments on GitHub >

github_iconTop Results From Across the Web

Brave Browser release info | Page 23 | MalwareTips Forums
Temporarily disabled Language/Font fingerprinting due to fonts being ... local IPFS node will bypass browser proxy as reported on HackerOne by neeythann.
Read more >
Release Channel 1.44.101 - Release Notes - Brave Community
(#24449); [Security] Extended font randomization fingerprinting protections to cover src:local as reported on HackerOne by xlin.
Read more >
大†Shinegumi†大's Content - WinCert.net Forums
[Security] Extended font randomization fingerprinting protections to cover src:local as reported on HackerOne by xlin. [Security] Sanitized chrome:// page ...
Read more >
Brave Browser 1.46.134 Download for Mac / Change Log ...
[Security] Extended font randomization fingerprinting protections to cover src:local as reported on HackerOne by xlin
Read more >
Brave browser - wersje stabilne | Page 10 | Programy Za Darmo
(#24513); Fixed fonts on certain websites not being displayed correctly when shields are enabled due to font fingerprinting on macOS. (#24468).
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

Release Channel 1.44.101
Read More >

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Trezor transaction fails

Next page

New tab `+` shows the different background color when mouse is not hovered