Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dom.maxHardwareConcurrency #127

Closed
Thorin-Oakenpants opened this issue May 23, 2017 · 5 comments
Closed

dom.maxHardwareConcurrency #127

Thorin-Oakenpants opened this issue May 23, 2017 · 5 comments

Comments

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented May 23, 2017
edited
Loading

snip
@earthlng
Copy link
Contributor

We discussed that already here
IMO we should not add this and wait till FF55 spoofs it with privacy.resistFingerprinting;true

@earthlng
Copy link
Contributor

earthlng commented May 23, 2017
edited
Loading

I'm not sure spoofing alone would do any good and nobody answered KOLANICH's question "have you found a suitable way to overcome https://github.com/oftn-oswg/core-estimator ?"
It seems that sites can still estimate the number of cores even with spoofing. Setting the dom pref would prevent that but it would probably also limit FF's performance.
If you want to add it I don't mind adding it as inactive ie commented out, but personally I'm not going to use it because I don't care if the rare few sites I allow JS on could know my number of cores, because I think a majority large number of computers worldwide have the same number of cores as my own machine. And once FF55 spoofs it, simply getting the value from the dom would not give a site the correct number of cores if they don't also use the core-estimator trick. But since we also have (service)workers disabled anyway there's nothing they can do to get the correct # of cores.

@earthlng
Copy link
Contributor

earthlng commented May 23, 2017
edited
Loading

Yes it's covered but only for spoofing. It seems that the estimator trick doesn't care about that value and tries higher numbers of workers regardless. I also doubt that sites really use that trick to fingerprint because it's only an estimate and not very reliable. I could have 32 cores but if there's something very CPU heavy running in the background the estimate could still be totally off. They maybe are using the number of cores as given back by the DOM as one bit of FP information but once that is spoofed I think we're gucci.
And setting the dom pref does not just spoof it, it effectively limits the use of more cores, and I assume that applies to FF as well. So yeah, I'm not a fan of adding this.

@earthlng
Copy link
Contributor

earthlng commented May 23, 2017
edited
Loading

and DIRECTLY EXPOSING it

yeah but FF55 with resistFP won't expose it anymore.

We know the spoof NAVIGATOR value does not.

Do we though? Even the mozilla guys don't seem to be sure about that:

I don't see any browser chrome code calling navigator.hardwareConcurrency today, but it would be affected by privacy.resistFingerprinting if it did. It looks like RuntimeService.cpp could check if it is called by chrome code.

I don't know what they mean by "could check" - does it mean "maybe it checks but I'm not sure" or "we could add a check to see if it's called by chrome code" ??

@earthlng
Copy link
Contributor

earthlng commented May 23, 2017
edited
Loading

2514 does not spoof, it limits it, doesn't it? And therefore it does affect performance, not may

Thorin-Oakenpants referenced this issue May 23, 2017
@Thorin-Oakenpants
dom.maxHardwareConcurrency #115
147e023
@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue May 24, 2017
Closed
6 tasks
@earthlng earthlng mentioned this issue Jun 14, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Thorin-Oakenpants @earthlng