Fix Firefox resource URI leak

Any website can access a selection of Firefox resource files to find out more about the web browser that is used to connect to the site.

Firefox and add-ons use the resource:// scheme to load resources internally, but some of the information are available to sites the browser connects to as well.

It is unclear why websites would need access to resource:// resources.

The leak seems to be limited to default files Firefox ships with, and not user modified files, and that is probably the main reason why Mozilla has not fixed the issue even though it was reported more than three years ago for the first time.

A script on Browserleaks highlights what Firefox reveals when queried by a simple script running on the site.

firefox resource leak

Please note that the script is broken in recent Nightly and Developer versions of Firefox, but that the issue remains.

The script may reveal the following information about the Firefox web browser:



  • Platform the browser is run on.
  • Default locale and update locale.
  • Whether Tor Browser is used.
  • The Firefox channel and whether it is an official build.
  • If PDF.js is available and the version of the file.
  • Default preference files, items listed, and their checksum (firefox.js, firefox-branding.js, firefox-l10n.js, webide-prefs.js, greprefs.js, services-sync.js, 000-tor-browser.js

The script that runs on the Browserleak website detects the locale in two ways. First, it tries to access resource:///chrome/*/locale/for all possible Firefox locales to identify the locale used.

If resource:///chrome/en-US/ is detected for instance, it means that the Firefox locale is English-US. Additionally, it attempts to access resource://gre/update.locale which reveals the Firefox interface language on all operating systems except on Linux when installed from a repository.

Read also:  Mozilla's Browse Free or Die campaign is problematic

The script checks the file resource:///defaults/preferences/firefox.js afterwards to detect the platform, channel and other information by analyzing the file's content and comparing it to known versions of the file.

Different builds of Firefox use different sets of default preferences and settings, and that's what the leak script uses to determine platform, channel and other information.

To sum it up: websites can use a basic script currently to get information about the Firefox browser. The information are limited to platform, channel and locale.

Fix

The add-on No Resource URI Leak has been created to block websites from accessing resource files. Simply install it in Firefox to block websites from accessing resource files. The easiest way to verify that the script is indeed working is to run the Browserleak test. If it returns no information, the add-on works as intended.

Summary
Article Name
Fix Firefox resource URI leak
Description
Mozilla Firefox leaks default resource files to websites which may use the files to reveal identifying information about the browser.
Author
Publisher
Ghacks Technology News
Logo

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Fix Firefox resource URI leak

  1. Silicon Agent June 12, 2016 at 7:03 pm #

    Java and Javascript (JS) by Sun Microsystems and now Oracle Corporation. A leak's Treasure. No wonder, as Sun and Oracle grew up with CIA funds.

    • Salty Nutella June 12, 2016 at 8:31 pm #

      Java is not Javascript.
      Java is developed by Sun Microsystems (Oracle Corporation).
      Javascript is developed by Netscape Communications Corporation, Mozilla Foundation and Ecma International.
      Firefox resource:/// leak is Mozilla's fault.

  2. Nel June 12, 2016 at 7:19 pm #

    This addon doesn't work on Pale Moon. Any alternative?

    • Dave June 12, 2016 at 8:11 pm #

      Firefox is a good alternative to Pale Moon

    • Salty Nutella June 12, 2016 at 8:35 pm #

      Get Firefox.

      • Lestat June 12, 2016 at 8:38 pm #

        Firefox is a Chrome imitation browser thanks to Mozilla's actions. Mozilla is no option anymore until they focus again on power user's needs.

    • CG_ROM June 12, 2016 at 8:43 pm #

      +1 is incompatible with Pale Moon

      • Gary D June 13, 2016 at 12:44 am #

        @ Lestat

        We are reading Martin's blog about an extension.
        You make no comment about that, you just complain about Firefox having "no focus on power user's needs". WHY don't you suggest a "power" user alternative instead of bitching about Firefox all the the time.
        Re-read your comments on Firefox in previous blogs.

    • Moloch June 12, 2016 at 9:50 pm #

      It does on Waterfox :)

  3. HaryHr June 12, 2016 at 7:22 pm #

    Javascript was designed by Netscape not Sun.

  4. adblock June 12, 2016 at 7:32 pm #

    Looking at the comment, it seems anti adblock is using this method to detect adblock?
    I wondery why Mozilla team refuse to fix this. They refused to fix WebExtension install bug too.

  5. oz June 12, 2016 at 8:06 pm #

    Thanks for the info, Martin... the extension seems to be working quite well here. :)

  6. Gary D June 12, 2016 at 8:18 pm #

    Martin

    Thank you for add-on information. I ran the the Browserleak script before and after install.
    Before = lots of leaks
    After = zero leaks :-)

    Another great find from ghacks !

    • Jeff-FL June 12, 2016 at 8:49 pm #

      Same here. Went from a bunch to none. Thanks Martin!

    • Thorky June 13, 2016 at 9:00 am #

      I agree, works marvellous! THX! :)

  7. Pants June 12, 2016 at 8:49 pm #

    I have to say, I have been running this for the last 8 days since I was made aware of it, and it so far has not broken anything major that I know of (I run some 65 addons). The only visual change so far, is that stand-alone images no longer center in the browser - I can live with that.

  8. Moloch June 12, 2016 at 9:57 pm #

    Shame this addon breaks the "Clean Uninstall" addon :( (uninstall window is completely blank)

  9. Onur June 12, 2016 at 11:05 pm #

    thanks this is awesome.

  10. justakiwi June 12, 2016 at 11:33 pm #

    don't seem to work in https://ipleak.net/

    • Pants June 13, 2016 at 8:08 am #

      That's because ipleak is not using resource://uri 's to detect anything, it is using user agent strings (header or JS) and other navigator calls

      • gh June 13, 2016 at 9:24 am #

        The extension triggers when urlbar displays any view-source: scheme
        bug? pageloads bearing a view-source scheme ( or file:// ) should be exempted?
        or... inevitable, due to "resource://" assets being referenced within usercontent.css ?

        Another "false positive":
        Try directly visiting (paste into urlbar) this TINY script which is embedded into this ghacks webpage you're currently reading
        http://static.criteo.net/js/px.js
        Clearly, the px.js script doesn't reference any resource URIs.

      • Pants June 13, 2016 at 12:33 pm #

        @gh

        All I got was this string, after I unblocked temporarily in uMatrix. I can't execute JS from the urlbar (I think its a pref). I also don't have abp :) What was I meant to see? And how does it pertain to ipleak. Did I say something wrong? (I didn't look at the ipleaks code).

        var abp=abpfalse;var scripts=document.getElementsByTagName("script");var script=scripts[scripts.length-1];if(script){var query=script.src.replace(/^[^\?]+\??/,"").split("&");var params={};for(var i=0;i<query.length;i++){var param=query[i].split("=");params[param[0]]=param[1]}if(params["ch"]==1)abp=true;else if(params["ch"]==2)abp=abp&&false};

      • gh June 13, 2016 at 5:32 pm #

        My comment wasn't specific to ipleak; I'm pointing to an apparent bug in the extension's code which results in overzealous / unwarranted blocking.

        http://addons.mozilla.org/en-US/firefox/files/browse/445831/file/resource-filter/content-policy.js
        You can better "see" by injecting a console.log() line (or inject a NotificationBox) immediately prior to the REJECT_REQUEST @line40, then repack the xpi & reinstall it as an unsigned addon.

        Here is a pastebin snippet showing my content-policy.js modification:
        http://pastebin.com/Nqenc8Kf

      • Pants June 13, 2016 at 6:21 pm #

        @gh .. ah OK. You totally threw me with logging a bug in justakiwi's ipleak which wasn't about resource://uri's at all. :)

        Just let cypherpunks (the developer) know : https://trac.torproject.org/projects/tor/ticket/8725

      • gh June 13, 2016 at 7:49 pm #

        Since placing my earlier comments, I've discovered that some of the "apparently over-aggressive" behavior I described and attributed to installation of this extension... is due to a conflict between this FixResourceLeak extension and RequestPolicy (v0.58,modded) extension. Both extensions finesse shouldLoad()

        Someone else pointed out the non-centered layout (after installing FixResourceLeak) when directly viewing any http://...jpg imagefile URL. I'm seeing same result here, even without RequestPolicy in the mix. That's just an oddity, not a reason to avoid using FixResourceLeak extension, IMO.

        > Just let cypherpunks (the developer) know

        Unless that tor developer is the author of FixResourceLeak, I will not.
        I have a couple of open torbrowser tickets (regarding moderate--high severity issues, IMO) and they've sat, unresolved, across a span of 2 years.

  11. Gary D June 13, 2016 at 12:21 am #

    @Moloch

    There is an app which you can use instead. It's called Geek Uninstaller and it is only 2.5 MB.

    It not only uninstalls the program, it also finds and deletes any registry entries as well. If necessary, you can force an uninstall.

    Try it and see if it does the job for you.

    http://www.geekuninstaller.com

    • Gary D June 13, 2016 at 12:35 am #

      @Moloch

      ERROR. Geekuninstaller is for progs. not pref.js. SORRY ! :(

  12. Anonymous June 13, 2016 at 12:54 am #

    i presume a palemoon fix would require removal of the multiprocess script bits, anyone willing to actually do the testing ?

  13. Vane June 13, 2016 at 2:04 am #

    You're french Martin?

    • Martin Brinkmann June 13, 2016 at 7:19 am #

      No I'm German. I fix the link, sorry for that ;)

      • CHEF-KOCH June 13, 2016 at 12:54 pm #

        uarghh germans :p

  14. buck June 13, 2016 at 8:57 am #

    Thanks Martin.

    Before = Lotsa leaks on test page
    After = Nada on test page

    Another valuable ghacks community service.

  15. manicmac June 13, 2016 at 2:08 pm #

    Why go back to firefox, I stopped using it after version 3?

    • zeomal June 13, 2016 at 5:33 pm #

      As Gary D pointed out, this is a post about a Firefox extension and not an article to answer the question "Why go back to Firefox"?

  16. buffer June 13, 2016 at 2:53 pm #

    Nice. Thanks!

  17. earthling June 13, 2016 at 4:10 pm #

    e10s will prevent this. Just tested with FF nightly 49. Thx for pointing it out, so we can use the addon until then.

    • Martin Brinkmann June 13, 2016 at 4:42 pm #

      No it won't as far as I know. The check page is broken since Mozilla changed something in Firefox, but the leak is not plugged yet.

  18. Anonymous June 14, 2016 at 4:28 am #

    I have been using totalspoof and it seems to be doing well to protect me in that regard as far as the basic website test goes.

  19. b June 14, 2016 at 12:04 pm #

    another thank you, Martin. it hasn't broken anything yet. as for browserleaks.com: great tool. I added " canvasblocker" at some point and set it to "fake read out API " as recommended. via browserleaks I discovered that this setting did not have any effect. I changed to "block everythig" which made the job. so far this setting only breaks soundcloud.

    • Pants June 14, 2016 at 1:29 pm #

      Check again: https://www.browserleaks.com/canvas

      By blocking, you will increase your entropy - i.e only a small percentage of people block, every one else provides an actual value. Every time I check at browserleaks, yes I have a check tick because it found a fingerprint, but every time it is unique.

      Your Fingerprint
      Signature ✔ BD0483BF
      Found in DB × False

      • b June 14, 2016 at 2:20 pm #

        @pants
        thank you so much for this information. it never crossed my mind. I reset it right away to the former "fake read out API".

    • Ghost August 3, 2016 at 1:28 am #

      @Pants @b Use this add-on instead of blocking the canvas element: https://addons.mozilla.org/en-US/firefox/addon/no-canvas-fingerprinting/

      To remain private - It's always wise to spoof unique identifiers rather than disabling them. Remember, you want to remain hidden - not stand out.

Leave a Reply