Comment by jsheard

4 hours ago

Looks to me like LinkedIn is fetching chrome-extension://{extension id}/{known filename} and seeing if it succeeds, not pinging the web store.

Should be patched nonetheless though, that's a pretty obscene fingerprinting vector.

4 comments

jsheard

Reply
what  4 hours ago

How do you patch it? The extensions themselves (presumably) need to access the same web accessible resources from their content scripts. How do you differentiate between some extension’s content script requesting the resource and LinkedIn requesting it?

  • jsheard  4 hours ago

    Firefox already mitigates this by randomizing the extension path: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

        The file is then available using a URL like: moz-extension://<extension-UUID>/images/my-image.png"
    <extension-UUID> is not your extension's ID. This ID is randomly generated for every browser instance.
    This prevents websites from fingerprinting a browser by examining the extensions it has installed.

    • zahlman  3 hours ago

      Doesn't the browser know which script it's running?

      Why can't it just deny access to the specified path, except to the extension itself?

      1 reply →