Level 24
Vulnerabilities in Privacy Badger canvas fingerprinting detection
  • Observability of the canvas API hooking
  • Bypassability of the APIs hooking
This show again that addon updates are necessary and that even famous addons aren't so good as they should.


Also from the GrapheneOS dev:
This is yet another example of why client-side checks are a bad approach for security. People should not be trying to implement privacy and security by injecting code into the adversary's code and hooking various APIs in a way that can be bypassed or detected. In general, browser extensions are not a good place to attempt implementing privacy and security features. APIs for browser extensions are not designed to provide robust or secure ways of doing these things, so extensions implement half-baked solutions or complete hacks involving injecting code and pretend they have working / robust approaches when they do not. Privacy and security features need to be built into browsers to work properly, whether it's by building in the feature completely or providing a robust API for it.
Last edited:


Level 13
DanielMcKay on Reddit said:
In Firefox, extensions are unintentionally constrained by the page's Content-Security-Policy and sandbox attributes. This is an implementation bug with no solution in sight. This causes many extensions to be broken on sites using these features. Extensions can work around this Firefox bug by disabling these security features or poking holes in the policies to allow their code to work.
Constraining extensions with the limitations of a webpage's CSP (content-security-policy) and Sandbox sounds like a good plan to me. It would be a security feature when extension writers could not poke holes in these limitations When they can circumvent it, some extension writers would probably ask for to many privileges, making this limitation counter productive. I don't use Firefox so maybe members with better knowledge of Firefox can comment on this.

Digmor Crusher

Level 7
Many on here and elsewhere, are simplifying their protection setup, using features built in to the OS configured by programs such as Configure Defender and Syshardener. They are trying to avoid 3rd party programs installing drivers, hooking into a million different files etc. Maybe its time to start simplifying our browser setups now, stop installing an over-abundance of extensions, many which break web pages and are more trouble than they are worth. I'm done obsessing about privacy on the internet, bigger fish to fry here.