PublicKeyCredential fingerprinting mitigations: Removes the possibility of...

From: uazo <uazo@users.noreply.github.com>

Date: Thu, 23 Jan 2025 17:01:50 +0000

Subject: PublicKeyCredential fingerprinting mitigations

Removes the possibility of obtaining the presence of Windows Hello and

Bluetooth by querying the PublicKeyCredential of the webauth api in

the Windows platform

---

 .../webauth/authenticator_common_impl.cc      | 22 +++++++++++++++++++

 .../webauth/authenticator_common_impl.h       |  2 +-

 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/content/browser/webauth/authenticator_common_impl.cc b/content/browser/webauth/authenticator_common_impl.cc

--- a/content/browser/webauth/authenticator_common_impl.cc

+++ b/content/browser/webauth/authenticator_common_impl.cc

@@ -1691,6 +1691,7 @@ void AuthenticatorCommonImpl::GetClientCapabilities(

       MakeCapability(client_capabilities::kRelatedOrigins, true));

   IsHybridTransportSupported(

+    caller_origin,

       base::BindOnce(&MakeCapability, client_capabilities::kHybridTransport)

           .Then(barrier_callback));

@@ -1707,6 +1708,7 @@ void AuthenticatorCommonImpl::GetClientCapabilities(

 }

 void AuthenticatorCommonImpl::IsHybridTransportSupported(

+    const url::Origin& caller_origin,

     base::OnceCallback<void(bool)> callback) {

   // Similar to Web Bluetooth API (`navigator.bluetooth.getAvailability()`) we

   // want respect the policy and return `false` if the policy is enforced.

@@ -1715,6 +1717,19 @@ void AuthenticatorCommonImpl::IsHybridTransportSupported(

     std::move(callback).Run(false);

     return;

   }

+  const url::Origin& embedding_origin =

+      GetRenderFrameHost()->GetMainFrame()->GetLastCommittedOrigin();

+

+  switch (GetContentClient()->browser()->AllowWebBluetooth(

+      GetBrowserContext(), caller_origin,

+      embedding_origin)) {

+    case ContentBrowserClient::AllowWebBluetoothResult::BLOCK_POLICY:

+    case ContentBrowserClient::AllowWebBluetoothResult::BLOCK_GLOBALLY_DISABLED:

+      std::move(callback).Run(false);

+      return;

+    case ContentBrowserClient::AllowWebBluetoothResult::ALLOW:

+      break;

+  }

   if (!device::BluetoothAdapterFactory::Get()->IsLowEnergySupported()) {

     std::move(callback).Run(false);

@@ -1765,6 +1780,13 @@ void AuthenticatorCommonImpl::ContinueIsUvpaaAfterOverrideCheck(

         IsUserVerifyingPlatformAuthenticatorAvailableCallback callback,

     bool is_get_client_capabilities_call,

     std::optional<bool> is_uvpaa_override) {

+#if BUILDFLAG(IS_WIN)

+  if ((true)) {

+    // always expose Windows Hello active, even if it is not

+    std::move(callback).Run(true);

+    return;

+  }

+#endif

   if (is_uvpaa_override) {

     std::move(callback).Run(*is_uvpaa_override);

     return;

diff --git a/content/browser/webauth/authenticator_common_impl.h b/content/browser/webauth/authenticator_common_impl.h

--- a/content/browser/webauth/authenticator_common_impl.h

+++ b/content/browser/webauth/authenticator_common_impl.h

@@ -252,7 +252,7 @@ class CONTENT_EXPORT AuthenticatorCommonImpl : public AuthenticatorCommon {

   // Bluetooth adapter that supports BLE. If so, runs |callback| with `true`.

   // Otherwise, or if Bluetooth is disabled by Permissions Policy, runs

   // |callback| with `false`.

-  void IsHybridTransportSupported(base::OnceCallback<void(bool)> callback);

+  void IsHybridTransportSupported(const url::Origin& caller_origin, base::OnceCallback<void(bool)> callback);

   // `is_get_client_capabilities_call` is true if this call originated from the

   // `GetClientCapabilities` method. The UMA metric is only recorded if this is

--

- Disable visited pseudo class

- Disable WebGPU

- Disable GamePad API by default (https://www.w3.org/TR/gamepad/#fingerprinting-mitigation)

- Disable Posture API by default (https://github.com/w3c/device-posture/blob/gh-pages/security-privacy-self-assessment.md)

Also disable gamepadconnected and gamepaddisconnected, see https://jshelter.org/gp/

- Disable WebGL by default

- Disable WebRTC by default

- Do not expose local IP addresses with webRTC

- Allows the use of the api DocumentPiP only with the content setting popup allowed (https://wicg.github.io/document-picture-in-picture/#privacy-considerations)

- Multi-Screen Window Placement API fix (screen.isExtended)

- Disable Posture API by default (https://github.com/w3c/device-posture/blob/gh-pages/security-privacy-self-assessment.md)

- (ANDROID) Do not follow night mode for dark mode preference when theme is set to system default

- (DESKTOP) Enable HighEfficiencyMode by default

- (DESKTOP) Enable percent based scrolling for mousewheel

- (DESKTOP) Enable Keyboard Layout API mitigation

- (WINDOWS) Disable Windows ClearType Text Tuner setting (active in rdp sessions)

- (WINDOWS) Hide the presence of the webcam if the user has not given permission

- (WINDOWS) PublicKeyCredential fingerprinting mitigations, see #1758

#### Tracking navigation

- Enable network isolation features