Closed
Bug 1437349
Opened 7 years ago
Closed 7 years ago
Detect if user install certain software with external protocol
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 680300
People
(Reporter: xiaoyin.l, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: csectype-disclosure, privacy, Whiteboard: [fingerprinting])
Attachments
(2 files)
If a web page navigates to a URL with external protocol with JavaScript document.location.href = "<scheme>"; , Firefox throws an exception if the specified scheme is unknown. Web pages can detect if the scheme is registered by catching the exception. There are many schemes that are known to associate with specific programs.
For instance, "steam:" protocol is associated with Steam Game client. If document.location.href = "steam:" throws an exception, then the user doesn't have Steam client installed; if it doesn't throw an exception, the user has Steam installed. This is a privacy issue, because users don't expect websites can detect this info.
That being said, if a protocol is known to the system, trying to navigate to it opens a popup. So users will know and get confused if attackers exploit this issue. But, by the time they see the popups, the detection already completes.
Edge and Chrome don't throw exceptions when external protocols are unknown.
Steps to reproduce:
Open the PoC in Firefox: https://xiaoyinl.github.io/rrk492vg2/external_protocol/parent.html
Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Arthur: another one for the fingerprinting list
Group: core-security
Flags: needinfo?(arthuredelstein)
Keywords: csectype-disclosure,
privacy
Whiteboard: [fingerprinting]
Comment 3•7 years ago
|
||
Oh awesome - this looks like the correct POC Of Bug 680300 that I was struggling to write.
Comment 4•7 years ago
|
||
Thanks, Dan!
Blocks: uplift_tor_fingerprinting, meta_tor
Flags: needinfo?(arthuredelstein)
Comment 5•7 years ago
|
||
In that case I am marking this bug as a duplicate.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•