undefined | Better HN

0 points0cf8612b2e1e1mo ago0 comments

No kidding. I am shocked this works.

Does Firefox have a similar weakness?

0 comments

No. Firefox always randomizes the extension ID used for URLs to web accessible resources on each restart [1]. Apparently, manifest v3 extensions on Chromium can now opt into similar behavior [2].

[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

[2]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

cxr1mo ago

That's a different form of defense. The original claim in this thread was that LinkedIn's fingerprinting implementation was making cross-site requests to Chrome Web Store, and that they were reading back the response of those requests.

Firefox isn't susceptible to that, because that's not how Firefox and addons.mozilla.org work. Chrome, as it turns out, isn't susceptible to it, either, because that's also not how Chrome and the Chrome Web Store work. (And that's not what LinkedIn's fingerprinting technique does.)

(Those randomized IDs for content-accessible resources, however, do explain why the technique that LinkedIn actually uses is is a non-starter for Firefox.)

tech234a1mo ago

An additional improvement added in manifest v3 in both Chromium and Firefox is that extensions can choose to expose web accessible resources to only certain websites. Previously, exposing a web accessible resource always made that resource accessible to all websites.

cxr1mo ago

It doesn't work. The person who posted the comment you're responding to has absolutely no idea what he's talking about. He confabulated the entire explanation based on a single misunderstood block of code that contains the comment «Remove " - Chrome Web Store" suffix if present» in the (local, NodeJS-powered) scraper that the person who's publishing this data themselves used to fetch extension names.

burkaman1mo ago

I don't see any evidence of this happening in Firefox. Either it's more difficult or they just didn't bother, either way I'm happy.

Edit: Can't find much documentation on exactly how the anti-fingerprinting works, but this page implies that the browser blocks extension detection: https://support.mozilla.org/en-US/kb/trackers-and-scripts-fi...

Wicher1mo ago

From memory from working with these a couple of years ago:

Firefox extension asset URLs are random and long (there's a UUID in there iirc). The extension itself can discover its randomized base so that it can output its asset URLs, but webpage code can't.

j / k navigate · click thread line to collapse

0 comments

tech234a1mo ago

No. Firefox always randomizes the extension ID used for URLs to web accessible resources on each restart [1]. Apparently, manifest v3 extensions on Chromium can now opt into similar behavior [2].

[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

[2]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...

cxr1mo ago

(Those randomized IDs for content-accessible resources, however, do explain why the technique that LinkedIn actually uses is is a non-starter for Firefox.)

tech234a1mo ago

cxr1mo ago

burkaman1mo ago

I don't see any evidence of this happening in Firefox. Either it's more difficult or they just didn't bother, either way I'm happy.

Wicher1mo ago

From memory from working with these a couple of years ago:

Firefox extension asset URLs are random and long (there's a UUID in there iirc). The extension itself can discover its randomized base so that it can output its asset URLs, but webpage code can't.

j / k navigate · click thread line to collapse