Comment by drnick1
8 days ago
> 'privacy' browser projects based on Chromium for Android
As far as I know none of these projects have tackled the JS fingerprinting problem. The most earnest attempts seem to be Brave and Firefox with the Arkenfox user.js, but they have their own problems. The basic issue is that JS gives websites far too much control over the user's device. The JS spec should have never allowed websites control over the clipboard (e.g. to disable paste), to know if the user is active, when the mouse is being moved, etc. Since it is too late now, short of disabling JS entirely, there will be usability tradeoffs, but I think these are necessary (at least optionally) in an OS like Graphene.
Unfortunately, browsers have often done too little, too late when it comes to privacy. For example, until recently, most browsers allowed third party cookies by default.
GrapheneOS has a lot planned for Vanadium. It could become a project almost as large as the core OS project. We're going to be greatly expanding our team and that needs to happen before Vanadium can have substantially more changes than it currently does. Full state partitioning including for cookies is a much better approach than disabling third party cookies. Vanadium does disable third party cookies but that doesn't really do as much as you'd think because the way third party cookies are defined and what disabling them means is not intuitive. Third party cookies would not be a significant issue if cookies were fully partitioned by the top level site. Chromium has implemented state partitioning for the vast majority of the state but specifically not cookies by default where it's opt-in, so we need to handle that ourselves. They do support partitioned cookies but it's opt-in. Strictly partitioning cookies breaks a lot of cross-site functionality so no mainstream browser is doing it but rather they use heuristics to support cases like cross-site login and their partitioning is easy to bypass through that.
Fundamentally, almost all "innovation" in browser and JS development for the last 20 years has been about giving new powers to website authors, not to the people actually using the browser. The idea of telling website authors "no, you can't do that" seems to be anathema to browser authors and standards groups. The result is that they make it easy for website authors to wrap their content in shinier and shinier wrapping paper and then tell users how great it is that they can now see all that shininess. Probably 50% of what a website can do today is stuff we would be better off not having available.