-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supercookies tracking #14025
Comments
cc: @pes10k |
@fmarier is there any reason your fix wouldn't apply to Android? |
There was nothing desktop-specific in our fix. When I test this on Android, I get a different ID in normal tabs v. private tabs, so that tells me that this is working on Android too. |
Hi, |
Yes, this works. However, if you close and open brave, it provides the same ID. |
That's expected. You need to clear the cache for the favicons to go away. Without clearing the cache, there are other simpler ways for a malicious first party to continue to track you. No need for a supercookie in this case. |
If this is expected, the behaviour on GNU/Linux is not congruent. Why? |
When I test the following on GNU/Linux:
I get the same ID. If you're getting different IDs, you may be clearing cache/cookies at exit. Check these two settings: |
No, that's a web compatibility enhancement to work-around problems due to the fact that we block third-party storage in Brave. The expected behavior for these favicon supercookies is that the ID will change when:
This is first-party tracking, which can also be done trivially via cookies and via the HTTP cache. So unless you clear your cache & cookies you don't need to use favicons to get a stable identifier for a given user. |
You are right, I have third party cookies blocked. |
The Chromium team is working on cache partitioning similar to Firefox's implementation: https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit Brave will inherit this change as well once it's ready. |
Now brave has Network State Partitioning. |
Yep, as @pachainti mentioned, Brave now has protections against this category of attack. We've rolled out what Chromium implements, added some additional protections that Chromium currently lacks (but which we're trying to upstream), and protections against new kinds attacks that Brave's research team found in Chromium. Thanks everyone for keeping our feet to the flame here! |
Hi,
brave on desktop is able to block supercookies tracking while brave for android does not.
The behaviour has been tested with the latest version of brave 1.19.92 on both android 9 and 10 with armv7 and armv8 CPU.
The text was updated successfully, but these errors were encountered: