Page 1 of 1

Disable plugin enumeration using NoScript surrogates?

Posted: Wed Jul 27, 2016 10:30 am
by johnscript
Somewhere along the line Mozilla removed the preference that allowed to disable plugin enumeration (claiming it "broke too many sites", which still has to be proved) in their usual way, meaning they could have left it there with a "safe" value or even turned it into an hidden one, but no, they just got rid of it.

But I digress : looking around I've found this interesting workaround: [Talk]alternative to plugins.enumerable_names which apparently exploits script surrogates to do the same task: my question is, how does this work?

Code: Select all

noscript.surrogate.noplugin.exceptions =
noscript.surrogate.noplugin.replacement = Object.defineProperty(navigator, "plugins", {value: []});
noscript.surrogate.noplugin.sources = @^https?://


What is this code actually doing, and is it the same thing (or possibly even better) than the original feature?

Re: Disable plugin enumeration using NoScript surrogates?

Posted: Wed Jul 27, 2016 3:29 pm
by barbaz

Re: Disable plugin enumeration using NoScript surrogates?

Posted: Sat Jul 30, 2016 10:52 am
by johnscript
Ok, but could you explain in layman's terms if this feature could be considered a drop-in replacement for the original (removed) Firefox feature?

Furthermore, the code looks a bit different to me:


Code: Select all

noscript.surrogate.noplugin.exceptions =
noscript.surrogate.noplugin.replacement = Object.defineProperty(navigator, "plugins", {value: []});
noscript.surrogate.noplugin.sources = @^https?://


Code: Select all

for(let propName of ['plugins','mimeTypes']){Object.defineProperty(window.navigator, propName, {configurable: true, enumerable: true, value:{}})}


Are these two ways to achieve the same goal?
If I were to choose the method in your link, should a also set the value of noscript.surrogate.ihasnoplugins.sources to {} to blacklist all sites?

BTW, I reckon that users not able to understand this stuff should probably leave it alone - but OTOH, if Mozilla keeps axing privacy features leaving users more exposed than they need to be...

Re: Disable plugin enumeration using NoScript surrogates?

Posted: Sat Jul 30, 2016 3:58 pm
by barbaz
johnscript wrote:Ok, but could you explain in layman's terms if this feature could be considered a drop-in replacement for the original (removed) Firefox feature?

I've never used it and didn't even realize it existed, sorry.

johnscript wrote:Furthermore, the code looks a bit different to me:


[...]

Are these two ways to achieve the same goal?

No. The first set of code is not only incomplete but overwriting the properties with the wrong type of JavaScript object, and as such will make you stand out more to fingerprint-hungry websites.

johnscript wrote:If I were to choose the method in your link, should a also set the value of noscript.surrogate.ihasnoplugins.sources to {} to blacklist all sites?

See the third post, use @* for the sources value to enable it by default. The prefix of @ is the most important, see this link on surrogate script for more information.
I don't think {} will match anything useful.

Re: Disable plugin enumeration using NoScript surrogates?

Posted: Mon Aug 01, 2016 9:03 pm
by johnscript
OK, thank you very much.

Re: Disable plugin enumeration using NoScript surrogates?

Posted: Mon Aug 01, 2016 9:14 pm
by barbaz
You're welcome Image