Fix Firefox resource URI leak
Any website can access a selection of Firefox resource files to find out more about the web browser that is used to connect to the site.
Firefox and add-ons use the resource:// scheme to load resources internally, but some of the information are available to sites the browser connects to as well.
It is unclear why websites would need access to resource:// resources.
The leak seems to be limited to default files Firefox ships with, and not user modified files, and that is probably the main reason why Mozilla has not fixed the issue even though it was reported more than three years ago for the first time.
A script on Browserleaks highlights what Firefox reveals when queried by a simple script running on the site.
Please note that the script is broken in recent Nightly and Developer versions of Firefox, but that the issue remains.
The script may reveal the following information about the Firefox web browser:
- Platform the browser is run on.
- Default locale and update locale.
- Whether Tor Browser is used.
- The Firefox channel and whether it is an official build.
- If PDF.js is available and the version of the file.
- Default preference files, items listed, and their checksum (firefox.js, firefox-branding.js, firefox-l10n.js, webide-prefs.js, greprefs.js, services-sync.js, 000-tor-browser.js
The script that runs on the Browserleak website detects the locale in two ways. First, it tries to access resource:///chrome/*/locale/for all possible Firefox locales to identify the locale used.
If resource:///chrome/en-US/ is detected for instance, it means that the Firefox locale is English-US. Additionally, it attempts to access resource://gre/update.locale which reveals the Firefox interface language on all operating systems except on Linux when installed from a repository.
The script checks the file resource:///defaults/preferences/firefox.js afterwards to detect the platform, channel and other information by analyzing the file's content and comparing it to known versions of the file.
Different builds of Firefox use different sets of default preferences and settings, and that's what the leak script uses to determine platform, channel and other information.
To sum it up: websites can use a basic script currently to get information about the Firefox browser. The information are limited to platform, channel and locale.
Fix
The add-on No Resource URI Leak has been created to block websites from accessing resource files. Simply install it in Firefox to block websites from accessing resource files. The easiest way to verify that the script is indeed working is to run the Browserleak test. If it returns no information, the add-on works as intended.
hello! this needs updating
another thank you, Martin. it hasn’t broken anything yet. as for browserleaks.com: great tool. I added ” canvasblocker” at some point and set it to “fake read out API ” as recommended. via browserleaks I discovered that this setting did not have any effect. I changed to “block everythig” which made the job. so far this setting only breaks soundcloud.
@Pants @b Use this add-on instead of blocking the canvas element: https://addons.mozilla.org/en-US/firefox/addon/no-canvas-fingerprinting/
To remain private – It’s always wise to spoof unique identifiers rather than disabling them. Remember, you want to remain hidden – not stand out.
Check again: https://www.browserleaks.com/canvas
By blocking, you will increase your entropy – i.e only a small percentage of people block, every one else provides an actual value. Every time I check at browserleaks, yes I have a check tick because it found a fingerprint, but every time it is unique.
Your Fingerprint
Signature ✔ BD0483BF
Found in DB × False
@pants
thank you so much for this information. it never crossed my mind. I reset it right away to the former “fake read out API”.
I have been using totalspoof and it seems to be doing well to protect me in that regard as far as the basic website test goes.
e10s will prevent this. Just tested with FF nightly 49. Thx for pointing it out, so we can use the addon until then.
No it won’t as far as I know. The check page is broken since Mozilla changed something in Firefox, but the leak is not plugged yet.
Nice. Thanks!
Why go back to firefox, I stopped using it after version 3?
As Gary D pointed out, this is a post about a Firefox extension and not an article to answer the question “Why go back to Firefox”?
Thanks Martin.
Before = Lotsa leaks on test page
After = Nada on test page
Another valuable ghacks community service.
You’re french Martin?
No I’m German. I fix the link, sorry for that ;)
uarghh germans :p
i presume a palemoon fix would require removal of the multiprocess script bits, anyone willing to actually do the testing ?
@Moloch
There is an app which you can use instead. It’s called Geek Uninstaller and it is only 2.5 MB.
It not only uninstalls the program, it also finds and deletes any registry entries as well. If necessary, you can force an uninstall.
Try it and see if it does the job for you.
http://www.geekuninstaller.com
@Moloch
ERROR. Geekuninstaller is for progs. not pref.js. SORRY ! :(
don’t seem to work in https://ipleak.net/
That’s because ipleak is not using resource://uri ‘s to detect anything, it is using user agent strings (header or JS) and other navigator calls
Since placing my earlier comments, I’ve discovered that some of the “apparently over-aggressive” behavior I described and attributed to installation of this extension… is due to a conflict between this FixResourceLeak extension and RequestPolicy (v0.58,modded) extension. Both extensions finesse shouldLoad()
Someone else pointed out the non-centered layout (after installing FixResourceLeak) when directly viewing any http://…jpg imagefile URL. I’m seeing same result here, even without RequestPolicy in the mix. That’s just an oddity, not a reason to avoid using FixResourceLeak extension, IMO.
> Just let cypherpunks (the developer) know
Unless that tor developer is the author of FixResourceLeak, I will not.
I have a couple of open torbrowser tickets (regarding moderate–high severity issues, IMO) and they’ve sat, unresolved, across a span of 2 years.
@gh .. ah OK. You totally threw me with logging a bug in justakiwi’s ipleak which wasn’t about resource://uri’s at all. :)
Just let cypherpunks (the developer) know : https://trac.torproject.org/projects/tor/ticket/8725
My comment wasn’t specific to ipleak; I’m pointing to an apparent bug in the extension’s code which results in overzealous / unwarranted blocking.
http://addons.mozilla.org/en-US/firefox/files/browse/445831/file/resource-filter/content-policy.js
You can better “see” by injecting a console.log() line (or inject a NotificationBox) immediately prior to the REJECT_REQUEST @line40, then repack the xpi & reinstall it as an unsigned addon.
Here is a pastebin snippet showing my content-policy.js modification:
http://pastebin.com/Nqenc8Kf
@gh
All I got was this string, after I unblocked temporarily in uMatrix. I can’t execute JS from the urlbar (I think its a pref). I also don’t have abp :) What was I meant to see? And how does it pertain to ipleak. Did I say something wrong? (I didn’t look at the ipleaks code).
var abp=abpfalse;var scripts=document.getElementsByTagName(“script”);var script=scripts[scripts.length-1];if(script){var query=script.src.replace(/^[^\?]+\??/,””).split(“&”);var params={};for(var i=0;i<query.length;i++){var param=query[i].split("=");params[param[0]]=param[1]}if(params["ch"]==1)abp=true;else if(params["ch"]==2)abp=abp&&false};
The extension triggers when urlbar displays any view-source: scheme
bug? pageloads bearing a view-source scheme ( or file:// ) should be exempted?
or… inevitable, due to “resource://” assets being referenced within usercontent.css ?
Another “false positive”:
Try directly visiting (paste into urlbar) this TINY script which is embedded into this ghacks webpage you’re currently reading
http://static.criteo.net/js/px.js
Clearly, the px.js script doesn’t reference any resource URIs.
thanks this is awesome.
Shame this addon breaks the “Clean Uninstall” addon :( (uninstall window is completely blank)
I have the same problem, I wonder if its worth contacting the developers?
> breaks the “Clean Uninstall” addon
Fix pushed: https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-leak/versions/
As for image display, no trivial fix is possible. Fortunately, it is not that fatal: https://discourse.mozilla-community.org/t/support-no-resource-uri-leak/9004/2?u=desktopd
> Looking at the comment, it seems anti adblock is using this method to detect adblock?
Yes, websites can read information about installed add-ons with the leak. This is terrible. Let’s push Mozilla for browser-level fixes. https://bugzil.la/863246 https://bugzil.la/903959
I have to say, I have been running this for the last 8 days since I was made aware of it, and it so far has not broken anything major that I know of (I run some 65 addons). The only visual change so far, is that stand-alone images no longer center in the browser – I can live with that.
Martin
Thank you for add-on information. I ran the the Browserleak script before and after install.
Before = lots of leaks
After = zero leaks :-)
Another great find from ghacks !
I agree, works marvellous! THX! :)
Same here. Went from a bunch to none. Thanks Martin!
Thanks for the info, Martin… the extension seems to be working quite well here. :)
Looking at the comment, it seems anti adblock is using this method to detect adblock?
I wondery why Mozilla team refuse to fix this. They refused to fix WebExtension install bug too.
@adblock, and all other visitors –
It appears Mozilla fixed this already in Firefox 57:
https://bugzilla.mozilla.org/show_bug.cgi?id=863246
https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Resource_URLs
I’m posting this here now for everyone, since the Resource URI issue was a significant problem finally fixed, but Martin never posted a follow-up update.
I have not tested the fix myself at the Browserleaks test page, but that’s easy enough to do…
Javascript was designed by Netscape not Sun.
This addon doesn’t work on Pale Moon. Any alternative?
It does on Waterfox :)
+1 is incompatible with Pale Moon
@ Lestat
We are reading Martin’s blog about an extension.
You make no comment about that, you just complain about Firefox having “no focus on power user’s needs”. WHY don’t you suggest a “power” user alternative instead of bitching about Firefox all the the time.
Re-read your comments on Firefox in previous blogs.
Get Firefox.
Firefox is a Chrome imitation browser thanks to Mozilla’s actions. Mozilla is no option anymore until they focus again on power user’s needs.
Firefox is a good alternative to Pale Moon
Java and Javascript (JS) by Sun Microsystems and now Oracle Corporation. A leak’s Treasure. No wonder, as Sun and Oracle grew up with CIA funds.
Java is not Javascript.
Java is developed by Sun Microsystems (Oracle Corporation).
Javascript is developed by Netscape Communications Corporation, Mozilla Foundation and Ecma International.
Firefox resource:/// leak is Mozilla’s fault.