Fix Firefox resource URI leak

Martin Brinkmann
Jun 12, 2016
Updated • Jun 13, 2016
Firefox
|
46

Any website can access a selection of Firefox resource files to find out more about the web browser that is used to connect to the site.

Firefox and add-ons use the resource:// scheme to load resources internally, but some of the information are available to sites the browser connects to as well.

It is unclear why websites would need access to resource:// resources.

The leak seems to be limited to default files Firefox ships with, and not user modified files, and that is probably the main reason why Mozilla has not fixed the issue even though it was reported more than three years ago for the first time.

A script on Browserleaks highlights what Firefox reveals when queried by a simple script running on the site.

firefox resource leak

Please note that the script is broken in recent Nightly and Developer versions of Firefox, but that the issue remains.

The script may reveal the following information about the Firefox web browser:

  • Platform the browser is run on.
  • Default locale and update locale.
  • Whether Tor Browser is used.
  • The Firefox channel and whether it is an official build.
  • If PDF.js is available and the version of the file.
  • Default preference files, items listed, and their checksum (firefox.js, firefox-branding.js, firefox-l10n.js, webide-prefs.js, greprefs.js, services-sync.js, 000-tor-browser.js

The script that runs on the Browserleak website detects the locale in two ways. First, it tries to access resource:///chrome/*/locale/for all possible Firefox locales to identify the locale used.

If resource:///chrome/en-US/ is detected for instance, it means that the Firefox locale is English-US. Additionally, it attempts to access resource://gre/update.locale which reveals the Firefox interface language on all operating systems except on Linux when installed from a repository.

The script checks the file resource:///defaults/preferences/firefox.js afterwards to detect the platform, channel and other information by analyzing the file's content and comparing it to known versions of the file.

Different builds of Firefox use different sets of default preferences and settings, and that's what the leak script uses to determine platform, channel and other information.

To sum it up: websites can use a basic script currently to get information about the Firefox browser. The information are limited to platform, channel and locale.

Fix

The add-on No Resource URI Leak has been created to block websites from accessing resource files. Simply install it in Firefox to block websites from accessing resource files. The easiest way to verify that the script is indeed working is to run the Browserleak test. If it returns no information, the add-on works as intended.

Summary
Fix Firefox resource URI leak
Article Name
Fix Firefox resource URI leak
Description
Mozilla Firefox leaks default resource files to websites which may use the files to reveal identifying information about the browser.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. yeet said on June 7, 2020 at 3:04 pm
    Reply

    hello! this needs updating

  2. b said on June 14, 2016 at 12:04 pm
    Reply

    another thank you, Martin. it hasn’t broken anything yet. as for browserleaks.com: great tool. I added ” canvasblocker” at some point and set it to “fake read out API ” as recommended. via browserleaks I discovered that this setting did not have any effect. I changed to “block everythig” which made the job. so far this setting only breaks soundcloud.

    1. Ghost said on August 3, 2016 at 1:28 am
      Reply

      @Pants @b Use this add-on instead of blocking the canvas element: https://addons.mozilla.org/en-US/firefox/addon/no-canvas-fingerprinting/

      To remain private – It’s always wise to spoof unique identifiers rather than disabling them. Remember, you want to remain hidden – not stand out.

    2. Pants said on June 14, 2016 at 1:29 pm
      Reply

      Check again: https://www.browserleaks.com/canvas

      By blocking, you will increase your entropy – i.e only a small percentage of people block, every one else provides an actual value. Every time I check at browserleaks, yes I have a check tick because it found a fingerprint, but every time it is unique.

      Your Fingerprint
      Signature ✔ BD0483BF
      Found in DB × False

      1. b said on June 14, 2016 at 2:20 pm
        Reply

        @pants
        thank you so much for this information. it never crossed my mind. I reset it right away to the former “fake read out API”.

  3. Anonymous said on June 14, 2016 at 4:28 am
    Reply

    I have been using totalspoof and it seems to be doing well to protect me in that regard as far as the basic website test goes.

  4. earthling said on June 13, 2016 at 4:10 pm
    Reply

    e10s will prevent this. Just tested with FF nightly 49. Thx for pointing it out, so we can use the addon until then.

    1. Martin Brinkmann said on June 13, 2016 at 4:42 pm
      Reply

      No it won’t as far as I know. The check page is broken since Mozilla changed something in Firefox, but the leak is not plugged yet.

  5. buffer said on June 13, 2016 at 2:53 pm
    Reply

    Nice. Thanks!

  6. manicmac said on June 13, 2016 at 2:08 pm
    Reply

    Why go back to firefox, I stopped using it after version 3?

    1. zeomal said on June 13, 2016 at 5:33 pm
      Reply

      As Gary D pointed out, this is a post about a Firefox extension and not an article to answer the question “Why go back to Firefox”?

  7. buck said on June 13, 2016 at 8:57 am
    Reply

    Thanks Martin.

    Before = Lotsa leaks on test page
    After = Nada on test page

    Another valuable ghacks community service.

  8. Vane said on June 13, 2016 at 2:04 am
    Reply

    You’re french Martin?

    1. Martin Brinkmann said on June 13, 2016 at 7:19 am
      Reply

      No I’m German. I fix the link, sorry for that ;)

      1. CHEF-KOCH said on June 13, 2016 at 12:54 pm
        Reply

        uarghh germans :p

  9. Anonymous said on June 13, 2016 at 12:54 am
    Reply

    i presume a palemoon fix would require removal of the multiprocess script bits, anyone willing to actually do the testing ?

  10. Gary D said on June 13, 2016 at 12:21 am
    Reply

    @Moloch

    There is an app which you can use instead. It’s called Geek Uninstaller and it is only 2.5 MB.

    It not only uninstalls the program, it also finds and deletes any registry entries as well. If necessary, you can force an uninstall.

    Try it and see if it does the job for you.

    http://www.geekuninstaller.com

    1. Gary D said on June 13, 2016 at 12:35 am
      Reply

      @Moloch

      ERROR. Geekuninstaller is for progs. not pref.js. SORRY ! :(

  11. justakiwi said on June 12, 2016 at 11:33 pm
    Reply

    don’t seem to work in https://ipleak.net/

    1. Pants said on June 13, 2016 at 8:08 am
      Reply

      That’s because ipleak is not using resource://uri ‘s to detect anything, it is using user agent strings (header or JS) and other navigator calls

      1. gh said on June 13, 2016 at 7:49 pm
        Reply

        Since placing my earlier comments, I’ve discovered that some of the “apparently over-aggressive” behavior I described and attributed to installation of this extension… is due to a conflict between this FixResourceLeak extension and RequestPolicy (v0.58,modded) extension. Both extensions finesse shouldLoad()

        Someone else pointed out the non-centered layout (after installing FixResourceLeak) when directly viewing any http://…jpg imagefile URL. I’m seeing same result here, even without RequestPolicy in the mix. That’s just an oddity, not a reason to avoid using FixResourceLeak extension, IMO.

        > Just let cypherpunks (the developer) know

        Unless that tor developer is the author of FixResourceLeak, I will not.
        I have a couple of open torbrowser tickets (regarding moderate–high severity issues, IMO) and they’ve sat, unresolved, across a span of 2 years.

      2. Pants said on June 13, 2016 at 6:21 pm
        Reply

        @gh .. ah OK. You totally threw me with logging a bug in justakiwi’s ipleak which wasn’t about resource://uri’s at all. :)

        Just let cypherpunks (the developer) know : https://trac.torproject.org/projects/tor/ticket/8725

      3. gh said on June 13, 2016 at 5:32 pm
        Reply

        My comment wasn’t specific to ipleak; I’m pointing to an apparent bug in the extension’s code which results in overzealous / unwarranted blocking.

        http://addons.mozilla.org/en-US/firefox/files/browse/445831/file/resource-filter/content-policy.js
        You can better “see” by injecting a console.log() line (or inject a NotificationBox) immediately prior to the REJECT_REQUEST @line40, then repack the xpi & reinstall it as an unsigned addon.

        Here is a pastebin snippet showing my content-policy.js modification:
        http://pastebin.com/Nqenc8Kf

      4. Pants said on June 13, 2016 at 12:33 pm
        Reply

        @gh

        All I got was this string, after I unblocked temporarily in uMatrix. I can’t execute JS from the urlbar (I think its a pref). I also don’t have abp :) What was I meant to see? And how does it pertain to ipleak. Did I say something wrong? (I didn’t look at the ipleaks code).

        var abp=abpfalse;var scripts=document.getElementsByTagName(“script”);var script=scripts[scripts.length-1];if(script){var query=script.src.replace(/^[^\?]+\??/,””).split(“&”);var params={};for(var i=0;i<query.length;i++){var param=query[i].split("=");params[param[0]]=param[1]}if(params["ch"]==1)abp=true;else if(params["ch"]==2)abp=abp&&false};

      5. gh said on June 13, 2016 at 9:24 am
        Reply

        The extension triggers when urlbar displays any view-source: scheme
        bug? pageloads bearing a view-source scheme ( or file:// ) should be exempted?
        or… inevitable, due to “resource://” assets being referenced within usercontent.css ?

        Another “false positive”:
        Try directly visiting (paste into urlbar) this TINY script which is embedded into this ghacks webpage you’re currently reading
        http://static.criteo.net/js/px.js
        Clearly, the px.js script doesn’t reference any resource URIs.

  12. Onur said on June 12, 2016 at 11:05 pm
    Reply

    thanks this is awesome.

  13. Moloch said on June 12, 2016 at 9:57 pm
    Reply

    Shame this addon breaks the “Clean Uninstall” addon :( (uninstall window is completely blank)

    1. Paul said on June 13, 2016 at 6:09 pm
      Reply

      I have the same problem, I wonder if its worth contacting the developers?

      1. Desktopd (Dev) said on June 16, 2016 at 3:39 pm
        Reply

        > breaks the “Clean Uninstall” addon
        Fix pushed: https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-leak/versions/

        As for image display, no trivial fix is possible. Fortunately, it is not that fatal: https://discourse.mozilla-community.org/t/support-no-resource-uri-leak/9004/2?u=desktopd

        > Looking at the comment, it seems anti adblock is using this method to detect adblock?
        Yes, websites can read information about installed add-ons with the leak. This is terrible. Let’s push Mozilla for browser-level fixes. https://bugzil.la/863246 https://bugzil.la/903959

  14. Pants said on June 12, 2016 at 8:49 pm
    Reply

    I have to say, I have been running this for the last 8 days since I was made aware of it, and it so far has not broken anything major that I know of (I run some 65 addons). The only visual change so far, is that stand-alone images no longer center in the browser – I can live with that.

  15. Gary D said on June 12, 2016 at 8:18 pm
    Reply

    Martin

    Thank you for add-on information. I ran the the Browserleak script before and after install.
    Before = lots of leaks
    After = zero leaks :-)

    Another great find from ghacks !

    1. Thorky said on June 13, 2016 at 9:00 am
      Reply

      I agree, works marvellous! THX! :)

    2. Jeff-FL said on June 12, 2016 at 8:49 pm
      Reply

      Same here. Went from a bunch to none. Thanks Martin!

  16. oz said on June 12, 2016 at 8:06 pm
    Reply

    Thanks for the info, Martin… the extension seems to be working quite well here. :)

  17. adblock said on June 12, 2016 at 7:32 pm
    Reply

    Looking at the comment, it seems anti adblock is using this method to detect adblock?
    I wondery why Mozilla team refuse to fix this. They refused to fix WebExtension install bug too.

    1. oden said on August 11, 2020 at 7:32 am
      Reply

      @adblock, and all other visitors –

      It appears Mozilla fixed this already in Firefox 57:

      https://bugzilla.mozilla.org/show_bug.cgi?id=863246
      https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Resource_URLs

      I’m posting this here now for everyone, since the Resource URI issue was a significant problem finally fixed, but Martin never posted a follow-up update.

      I have not tested the fix myself at the Browserleaks test page, but that’s easy enough to do…

  18. HaryHr said on June 12, 2016 at 7:22 pm
    Reply

    Javascript was designed by Netscape not Sun.

  19. Nel said on June 12, 2016 at 7:19 pm
    Reply

    This addon doesn’t work on Pale Moon. Any alternative?

    1. Moloch said on June 12, 2016 at 9:50 pm
      Reply

      It does on Waterfox :)

    2. CG_ROM said on June 12, 2016 at 8:43 pm
      Reply

      +1 is incompatible with Pale Moon

      1. Gary D said on June 13, 2016 at 12:44 am
        Reply

        @ Lestat

        We are reading Martin’s blog about an extension.
        You make no comment about that, you just complain about Firefox having “no focus on power user’s needs”. WHY don’t you suggest a “power” user alternative instead of bitching about Firefox all the the time.
        Re-read your comments on Firefox in previous blogs.

    3. Salty Nutella said on June 12, 2016 at 8:35 pm
      Reply

      Get Firefox.

      1. Lestat said on June 12, 2016 at 8:38 pm
        Reply

        Firefox is a Chrome imitation browser thanks to Mozilla’s actions. Mozilla is no option anymore until they focus again on power user’s needs.

    4. Dave said on June 12, 2016 at 8:11 pm
      Reply

      Firefox is a good alternative to Pale Moon

  20. Silicon Agent said on June 12, 2016 at 7:03 pm
    Reply

    Java and Javascript (JS) by Sun Microsystems and now Oracle Corporation. A leak’s Treasure. No wonder, as Sun and Oracle grew up with CIA funds.

    1. Salty Nutella said on June 12, 2016 at 8:31 pm
      Reply

      Java is not Javascript.
      Java is developed by Sun Microsystems (Oracle Corporation).
      Javascript is developed by Netscape Communications Corporation, Mozilla Foundation and Ecma International.
      Firefox resource:/// leak is Mozilla’s fault.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.