Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove navigator.connection from Brave-core #20122

Closed
pes10k opened this issue Dec 15, 2021 · 5 comments · Fixed by brave/brave-core#11638
Closed

Remove navigator.connection from Brave-core #20122

pes10k opened this issue Dec 15, 2021 · 5 comments · Fixed by brave/brave-core#11638
Assignees
@mariospr @mkarolin
Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality OS/Desktop privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-macOS QA/Test-Plan-Specified QA/Yes release-notes/include
Milestone
1.35.x - Release

Comments

@pes10k
Copy link
Contributor

pes10k commented Dec 15, 2021
edited
Loading

Chromium allows sites to learn about local network conditions by querying navigator.connection. This is privacy harming information. It can be used by fingerprinters, as well as by more determined attackers to potentially learn about user traveling patterns (including when the user is at home or not).

Ideal behavior here would be for the below to both be true in all shields configurations:

navigator.connection === undefined
"connection" in window.navigator === false

An ideal implementation would also include a brave://flags option (default off) that advanced users could use to re-enable the API. The flag description should have text mentioning that the functionality risks their privacy.
@pes10k pes10k added privacy privacy/tracking Preventing sites from tracking users across the web feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. OS/Desktop labels Dec 15, 2021
@pes10k pes10k mentioned this issue Dec 15, 2021
Closed
mkarolin added a commit to brave/brave-core that referenced this issue Dec 17, 2021
@mkarolin
[WIP] Disable navigator.connection attribute by default.
189cb1b 
Fixes brave/brave-browser#20122
@mkarolin mkarolin mentioned this issue Dec 17, 2021
Merged
25 tasks
mkarolin added a commit to brave/brave-core that referenced this issue Dec 20, 2021
@mkarolin
Disable navigator.connection attribute by default.
217e296 
Fixes brave/brave-browser#20122
mkarolin added a commit to brave/brave-core that referenced this issue Dec 21, 2021
@mkarolin
Disable navigator.connection attribute by default.
38c42da 
Fixes brave/brave-browser#20122
mkarolin added a commit to brave/brave-core that referenced this issue Dec 23, 2021
@mkarolin
Disable navigator.connection attribute by default.
0354847 
Fixes brave/brave-browser#20122
@mkarolin mkarolin added this to the 1.35.x - Nightly milestone Dec 24, 2021
@mkarolin
Copy link
Contributor

Test Plan:

  1. Open Brave and navigate to any site.

  2. Open DevTools and go to the Console tab

  3. Enter: "connection" in window.navigator
    Expected result: false

  4. Navigate to brave://flags

  5. Locate navigator-connection-attribute flag, enable it, and click restart

  6. Repeat steps 1-3
    Expected result: true

@pes10k
Copy link
Contributor Author

pes10k commented Dec 27, 2021

For QA, i've also added a test for this in the QA suite: https://dev-pages.brave.software/dom-properties.html

@stephendonner
Copy link

Verified PASSED using

Brave 1.35.69 Chromium: 97.0.4692.56 (Official Build) dev (x86_64)
Revision 04da6c66398ca50e603cc236a07dc7dfd3bbc750-refs/branch-heads/4692@{#990}
OS macOS Version 11.6.1 (Build 20G224)

Followed the steps above.

Steps:

  1. opened Brave and navigated to a site (wired.com)
  2. opened DevTools and went to the Console tab
  3. entered: "connection" in window.navigator
  4. confirmed the expected result: false
  5. navigated to brave://flags
  6. located navigator-connection-attribute flag, enabled it, and clicked restart
  7. repeated steps 1-3
  8. confirmed the expected result: true
example example example
Screen Shot 2021-12-30 at 2 17 14 PM Screen Shot 2021-12-30 at 2 17 43 PM Screen Shot 2021-12-30 at 2 18 06 PM

@stephendonner
Copy link

stephendonner commented Jan 6, 2022
edited
Loading

Verified PASSED using Brave 1.35.74, Chromium 97.0.4692.71 on a Google Pixel XL running Android 9.0.

Steps:

  1. opened Brave and navigated to a site (wired.com)
  2. opened DevTools and went to the Console tab
  3. entered: "connection" in window.navigator
  4. confirmed the expected result: false
  5. navigated to brave://flags
  6. located navigator-connection-attribute flag, enabled it, and clicked Relaunch
  7. repeated steps 1-3
  8. confirmed the expected result: true
example example example
Screen Shot 2022-01-05 at 4 26 22 PM Screen Shot 2022-01-05 at 4 31 43 PM Screen Shot 2022-01-05 at 4 29 28 PM

@srirambv
Copy link
Contributor

Verification passed on Samsung Tab A with Android 10 running 1.35.77 x64 Beta build

image image image image image

@kjozwiak kjozwiak mentioned this issue Feb 1, 2022
Closed
@kjozwiak kjozwiak mentioned this issue Feb 6, 2022
Closed
@polcak polcak mentioned this issue Apr 20, 2022
Closed
22 tasks
polcak added a commit to polcak/jsrestrictor that referenced this issue Apr 22, 2022
@polcak
Add removal of Network Information API
2c497e7 
See brave/brave-browser#20122

Potential improvements: return a generic value, return a farbled generic
value. Or modify the values somehow.

Radek observed:
* downlink is never greater than 10, sometimes values like 9.3
* downlinkMax can be greater than 10, e.g. 100/infinity
* effectiveType: computed from rtt and downlink
* saveData can be important for users trying to limit downloaded data
@mkarolin mkarolin mentioned this issue Feb 15, 2023
Closed
@mkarolin mkarolin mentioned this issue Aug 28, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mariospr mariospr

@mkarolin mkarolin

Labels
feature/shields/fingerprint The fingerprinting (aka: "device recognition") protection provided in Shields OS/Android Fixes related to Android browser functionality OS/Desktop privacy/chromium-redqueen Work to remove or improve privacy-harming "features" added in Chromium. privacy/tracking Preventing sites from tracking users across the web privacy QA Pass - Android ARM QA Pass - Android Tab QA Pass-macOS QA/Test-Plan-Specified QA/Yes release-notes/include
Projects
None yet
Milestone
1.35.x - Release
Development

Successfully merging a pull request may close this issue.

Make navigator.connection attribute available via a feature. brave/brave-core
5 participants
@pes10k @stephendonner @mariospr @srirambv @mkarolin