Comment by matheusmoreira

3 years ago

I don't think web developers should be able to detect stuff like that either. Their ability to detect stuff provides identifying bits for fingerprinting. As far as I'm concerned, all the browsers should normalize the return values of those typeofs and all related functions so that Javascript can figure out exactly zero bits of information about the environment it's running on. Just like browsers will lie to Javascript when it tries to figure out your browsing history by checking the color of links.

The web platform gave web developers way too much freedom and they're abusing it. God giveth and god taketh away.

13 comments

matheusmoreira

Reply
Groxx  3 years ago

There's simply no way that can ever be built though. "Browser v2 provides X which will call argument 1 in 2 seconds" -> how would browser v1 possibly hide that it is not v2? Anyone can build a thing that checks for that behavior, and now you have a piece of information.

Or for more useful stuff, "X gets you data from URL Y". Either you get that data or you don't. Voila, data about the browser.

The only alternative is that you never ever release any new features or fix any bugs.

  • matheusmoreira  3 years ago

    How does cryptography software avoid such side channels? Normalize the performance somehow.

    If I remember correctly, Firefox's fingerprinting resistance will actually slow down functionality to achieve that. Reduces the precision of performance timers or something. Makes CAPTCHAs exponentially more obnoxious.

    • Groxx  3 years ago

      It hides that by being incredibly restricted in what you can do with it, lest you leak side channel information. To the point that you can't do much of anything useful, much less general computation. They're finely crafted Faberge eggs that break if you sneeze near them now or discover a new way of sneezing in the next few decades, not broad tools.

      So... yes, you could build a "browser" like that. It would effectively have no scripting at all though, nor could it ever introduce new semantics that send data to another site, directly or transitively. You can do some stuff with that kind of system, but it's limited enough that most people don't choose it.

      Gopher exists I guess? Lynx too, though lynx supports css, and that largely can't be allowed either.

      2 replies →

raincole  3 years ago

> Feature detection is too much power for developers

- People on HN.

  • matheusmoreira  3 years ago

    Yes, it is too much power for them. Power which they abuse by fingerprinting us. Browser vendors agree with me: they reduced the power of developers by lying to Javascript when they tried to check link styles.

    Do you think otherwise?

    • raincole  3 years ago

      A. Test for window.fetch.

      B. Check if a link is visited.

      Whether these two even remotely fall into the same category is left as an exercise for readers.

      3 replies →

    • technion  3 years ago

      Using an Abortcontroller with fetch for example is only recently supported. I like to use it where I can, but I don't want to crash on a slightly older browser. Feature detection is absolutely practically useful.

      1 reply →