[tbb-dev] Is JS monkey patching viable as a fingerprinting countermeasure?

Arthur D. Edelstein arthuredelstein at gmail.com
Sat Aug 30 07:14:44 UTC 2014

Hi All,

I'm wondering about the history of JS fingerprinting mitigation in Tor
Browser. What prompted the change of approach from JavaScript hooks to
C++ patches? I had read something about a race condition discovered,
but I haven't found more details.

I've been thinking about the idea of developing a C++ patch for Tor
Browser (and Firefox) that allows extensions to securely replace
arbitrary members (functions and properties) of the global window
object at runtime, before content is loaded. By "secure" I mean that,
by design, there would be no workaround for content scripts to access
the original window object members. (Maybe this capability already
exists -- I don't know.)

The advantages of this monkey patching approach over addressing
fingerprinting vulnerabilities with C++ patches is
(1) it would (I think) simplify fingerprinting countermeasures, and
(2) it would reduce the number of Firefox C++ patches that Mozilla
needs to accept.

Is this idea worth pursuing further?


More information about the tbb-dev mailing list