Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] Dark Mode detection not always blocked by Fingerprinting Protection on Android #25851

Closed
ShivanKaul opened this issue Oct 7, 2022 · 1 comment · Fixed by brave/brave-core#15385
Closed

[hackerone] Dark Mode detection not always blocked by Fingerprinting Protection on Android #25851

ShivanKaul opened this issue Oct 7, 2022 · 1 comment · Fixed by brave/brave-core#15385
Assignees
@ShivanKaul
Labels
OS/Android Fixes related to Android browser functionality QA Pass - Android ARM QA Pass - Android Tab QA/Yes release-notes/include security
Milestone
1.46.x - Release

Comments

@ShivanKaul
Copy link
Collaborator

ShivanKaul commented Oct 7, 2022
edited by diracdeltas
Loading

Under certain conditions, the user's system light-mode/dark-mode preference is leaked to websites even if fingerprint blocking is set to strict. This happens when closing and reopening Brave for Android.

Steps To Reproduce:

  1. On an Android device, set the system color scheme to dark mode.
  2. In Brave, set Settings -> Brave Shields & privacy -> Block Fingerprinting to "Fingerprinting blocked (strict, may break sites)"
  3. Open https://septatrix.github.io/prefers-color-scheme-test/ (or another prefers-color-scheme demo page). Observe that the site does not detect Dark Mode, as expected.
  4. Press the system Home button (or, if using gesture navigation, swipe the bar up) to close Brave. Then, reopen Brave.
  5. Observe that the demo page now detects Dark Mode.

Expected Outcome:
Demo page should not detect dark mode even if Brave is closed and then re-opened.

Additional Regression Testing:
#15265 (comment)

https://hackerone.com/reports/1723953 credit cartersande
@ShivanKaul ShivanKaul added QA/Yes release-notes/include OS/Android Fixes related to Android browser functionality labels Oct 7, 2022
@ShivanKaul ShivanKaul self-assigned this Oct 7, 2022
@ShivanKaul ShivanKaul mentioned this issue Oct 7, 2022
Merged
25 tasks
@brave-builds brave-builds added this to the 1.46.x - Nightly milestone Oct 8, 2022
@diracdeltas diracdeltas changed the title Dark Mode detection not always blocked by Fingerprinting Protection on Android [hackerone] Dark Mode detection not always blocked by Fingerprinting Protection on Android Oct 9, 2022
@srirambv
Copy link
Contributor

srirambv commented Nov 2, 2022

Verification passed on the following devices running 1.46.87 x64 build

  • Verified steps from issue description
  • Verified the test page auto-detects and updates the value based on device theme preference/browser theme preference
Oppo Reno 5 (Android 12) Samsung Tab A (Android 10)
25851-ARM.mp4
25851.-Tab.mp4

@kjozwiak kjozwiak mentioned this issue Dec 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ShivanKaul ShivanKaul

Labels
OS/Android Fixes related to Android browser functionality QA Pass - Android ARM QA Pass - Android Tab QA/Yes release-notes/include security
Projects
None yet
Milestone
1.46.x - Release
Development

Successfully merging a pull request may close this issue.

Add dark mode check to OverrideWebkitPrefs (for Android) brave/brave-core
4 participants
@diracdeltas @ShivanKaul @srirambv @brave-builds