Fingerprinting works by collecting bits of information about the browser and device to identify users. Couldn’t browsers like Firefox see when a website gets such info with JS and either prevent or ask permission from the user for the website to make HTTP requests to upload such information to the website. Idk if they do something like this already.

  • TheTwelveYearOld@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 months ago

    But couldn’t the JS runtime track which objects and variables interact with such information, so if they make any HTTP requests with the info after getting it and maybe processing it then it could be rejected?

    • Strawberry
      link
      fedilink
      arrow-up
      4
      ·
      6 months ago

      It would at least be a very intensive process to do so, and that doesn’t even solve that there would be other ways to glean the same information without accessing it directly. For example, one could create an element with 100% screen width set by CSS and query the element’s size instead of using the simpler window.innerHeight. How do you detect every possible way a script could determine the viewport dimensions?

    • MartianSands@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      While that sort of analysis probably isn’t impossible, it is computationally unrealistic to do in realtime on a language which wasn’t designed for it.

      It’s the sort of thing which is simple in 99% of cases, but the last 1% might well be impossible. Sadly it’s the last 1% you need to worry about, because anyone trying to defeat your system is going to find them

      • jokro@feddit.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        6 months ago

        Even if you would be able to track js code like that, the js code can react to it’s own sideeffects. E.g. have 8 Elements and encode the 8-bit Fingerprint as a custom style sheet that adds an animation some of the 8 elements. Then react on the animation events and rebuild the fingerprint. It’s virtually impossible imo. Maybe it can even be formal proven.

    • bamboo@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      Taint analysis is a real thing that several papers have been published about, but the implementations aren’t in a state where they could be run in real time without massively hampering performance. Also they’re mostly focused on findings bugs in native applications rather than privacy on the web.