[tbb-dev] Is JS monkey patching viable as a fingerprinting countermeasure?

Arthur D. Edelstein arthuredelstein at gmail.com
Mon Sep 22 06:19:21 UTC 2014

> That said, if you see a clean way to create an API to do secure script
> injection and feel like hacking it up real quick, feel free. It may
> prove useful eventually, but I suspect we'll uncover a whole slough of
> surprises once we actually try to use it. We'll probably also need
> regression tests in-tree for every single function/callback/property we
> hook, to make sure that an implementation change doesn't suddenly break
> our ability to hook something in the way we want.

As an experiment, I came up with a very simple JS module that lets you
inject a script to overwrite arbitrary members of the global "window"
object, before any content is loaded. The trick is listening for
"content-document-global-created" notifications, as described in

If anyone is interested, you can see the injection code at
and there's an example of the script to be injected at
(The latter script is one way to solve #5926, though my final
implementation is a C++ patch.)
Of course, all of Mike and Georg's caveats about JS hooks apply here.

More information about the tbb-dev mailing list