| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by 21 3715 days ago
	What's the reason for allowing web pages to get absolute screen coordinates? This is a privacy leak. I have a 24" screen, and I don't keep the browser window maximized because it would be too big. I presume other people do to, and I'm pretty sure most have a preferred size and position.

7 comments

vesinisa 3715 days ago

Just use NoScript if you are concerned. JavaScript allows a large number of other ways to identify you as well. Direct ways of course include cookies / local storage / Web SQL, but other indirect ways include localization preferences, OS / browser / plugin / extension fingerprinting, HID inputs, side channel profiling etc. etc. – some combination of these allows uniquely identifying at least 80% of web users.[1][2][3]

Allowing a site to execute JS in your browser is equal to trusting them, like it or not, and browser vendors are definitely in the business of adding new APIs rather than reducing attack surfaces.

[1]: https://wiki.mozilla.org/Fingerprinting

[2]: https://github.com/Valve/fingerprintjs2

[3]: http://noc.to/

ErikRogneby 3715 days ago

Might as well say don't use the web. Disabling javascript will break most sites with a few rare exceptions. (like HN)

vesinisa 3715 days ago

NoScript is not about disabling JavaScript but allowing only white-listed domains to execute JavaScript. Generally, I trust the domains I visit frequently, and have them white-listed. I explicitly block domains of "analytics" and social networking services, since these do not offer me any value-added content.

However, if I follow a link to a domain I have never visited before, I will first see if the content is viewable without JavaScript. Most of the time, it actually is.

But sometimes the content does not render at all or the page layout is broken beyond recognition. Then I'll try "temporarily allowing" executing JS from the home domain of the site (I've noticed most sites these days bundle JS from 5+ domains, most of which are analytics and social networking services). For maybe 80% of those sites that do not work without JS, this fixes the issue and I am able to read the content. Takes maybe 2 secs to temporarily white-list and reload the page.

The rest are generally pages that make assumptions like that the analytics library is always present in the page JS scope and then crash when it is not, leaving the content unreadable because the JS layout code never runs. A quick peek at the JS console when the page is loading generally reveals what is the issue.

Sometimes I just ignore those pages, but if I really badly want to see the content, I can launch an one-off incognito window for the page and have the page execute with all the JS tracking and social network code allowed. This solves any issues for almost all remaining pages. If problems still persist, these are generally pages that are just simply broken – maybe the page only works with some specific browser, like Google Chrome (I use Firefox), to start with.

lucideer 3715 days ago

If you're using NoScript in the fine-grained manner you describe, and for privacy reasons (not just security), I wonder have you ever looked at uMatrix[0]. Same deal but a bit more performant, and also covers the whitelisting of other privacy-leaking aspects such as cookies, CSS, tracking pixels, iframes, etc.

[0] https://github.com/gorhill/uMatrix/wiki/FAQ

vesinisa 3714 days ago

Thanks, looks very interesting.

anc84 3715 days ago

It's actually quite the opposite. Most sites will become lightning fast and distraction free.

beeboop 3715 days ago

I have use NoScript consistently for years and I disagree with you. Essentially the only thing NoScript does is make it so when you haven't visited a website before, it doesn't automatically trust it. For the most part every single website I go to needs to have JS enabled for anything to work beyond just reading content.

And even then, I would say 70% of the time, some critical piece of content on a website does not work with JS disabled, be it images or text or video or etc.

barrkel 3715 days ago

I disable JS on my phone, and I disagree with you: the vast majority of the text content web is perfectly readable without JS.

If you want to watch video, you're out of luck. If you want to use a web app, you're out of luck. But if you just want to consume text content, the majority of the web just works, and a lot faster too.

(I've never been able to get NoScript to work right, it's always given me problems. Perhaps part of the problem is NoScript?)

anc84 3715 days ago

> For the most part every single website I go to needs to have JS enabled for anything to work beyond just reading content.

What percentage of websites is that though? Of course it depends on your browsing habits if it is feasible or not. I don't click social media stuff, I participate only if I really want to or if I am part of a community.

The majority of sites I visit are either regular revisits (rules are easily set up then) or random browsing where security & privacy by default is good.

I never used NoScript but am a bit uMatrix fan. There I can easily allow things. NoScript looked super complicated.

vacri 3715 days ago

I've been using NoScript for years as well, and I have to disagree with you. Now that NoScript auto-permits the base domain (which you can switch off), I don't have to do much manual permissioning. There's the occasional bit, but really, 70% is a ridiculously high estimate.

Then there's the occasional 'funny photo' site which won't work until you enable 15 different sources - in which case, I just pop open Chrome if I really want to see that funny photo.

danielweber 3715 days ago

And then starts the crazy hunt for the one thing you need to turn on to make the page work.

I was trying many years ago to create a public DB/wiki telling us which things we need to turn on to get the page to work, but it got abandoned before I really started.

anc84 3715 days ago

That sounds super annoying. I don't know how cumbersome NoScript is but with uMatrix (or even RequestPolicy) things are easy.

TazeTSchnitzel 3715 days ago

> What's the reason for allowing web pages to get absolute screen coordinates?

Back in the 90's, Microsoft and Netscape were all too happy to give JS developers the world with almost no regard for security consequences.

We've spent the last 20 years trying to fix their mistakes.

neerdowell 3715 days ago

We only spent 15 years trying to fix the mistakes. The last 5 have been spent repeating them.

TazeTSchnitzel 3715 days ago

On the contrary, I would argue that most new web platform features have been designed with more thought for security. We generally ask for user permission first before divulging data, for example. Some new features help mitigate past mistakes, too, like Content Security Policies.

phkahler 3715 days ago

>> What's the reason for allowing web pages to get absolute screen coordinates?

Web developers have always pushed for more access to information about the user and their environment. Browser and tool developers are happy to provide that access. There's always some use case that sounds reasonable, but you're right that it's just a security issue waiting to happen.

These holes are also being talked about in the new Wayland display server on Linux. Warping a mouse pointer, color picking, knowing your apps place on the desktop are all security violations. They are being very careful with that stuff because it's an insecure free for all with X.

Every time I upload an attachment to gmail or a picture to facebook, I wonder how secure things are. Those seem to require user action, but do they really?

TeMPOraL 3715 days ago

> Web developers have always pushed for more access to information about the user and their environment. Browser and tool developers are happy to provide that access. There's always some use case that sounds reasonable, but you're right that it's just a security issue waiting to happen.

I'm torn. On the one hand I understand the privacy implications; on the other hand, if you'd want to be serious about those, you'd have to get rid of JavaScript and half of CSS. Every interesting feature can be turned into a privacy/security violation; how far are we willing to go in removing them?

digi_owl 3713 days ago

> These holes are also being talked about in the new Wayland display server on Linux. Warping a mouse pointer, color picking, knowing your apps place on the desktop are all security violations. They are being very careful with that stuff because it's an insecure free for all with X.

I know the quip about how in IT paranoia is not a sickness but a job requirement, but damn it...

As for web developers pushing for more information. No surprises there, its so they can more precisely fine tune the layout of the "app" (notice how they refer to what used to be called a site with a term that used to denote something running locally).

That it also can be used to fingerprint the computer, and by extension the user, is a side effect, not a goal.

nxzero 3715 days ago

Right, never max out your window, it's a known data leak used to fingerprint users.

gnur 3715 days ago

I'd say that maximizing is more general then having a custom sized window. There are only so many resolutions in use (and I would guess 50%+ is either hd, full hd or qhd). Resizing your windows yield nearly unlimited options for browser sizes.

Retric 3715 days ago

It's a question of consistency. A few version numbers + window sizes are going to stay the same every visit. It only takes 33 bits of information to uniquely identify everyone on the planet and you likely can get more than 1 from a maximized window.

aidenn0 3715 days ago

You can get screen resolution from JS, so I don't see how maxing out the window makes any difference.

detaro 3715 days ago

A screen resolution is less unique than the size of a maximized window.

samirm 3715 days ago

How so? Wouldn't there just be a one to one mapping between resolution and maximized windows size? The only way to prevent this is to not maximize windows and instead have custom sized ones, but that just makes identifying you even easier.

detaro 3715 days ago

The laptop I'm using right now has a 1366x768 screen, a maximized browser window is 1306x768. I bet many other users of of that size are going to have browser windows that have the full 1366 px width, but then some height <768 px. Details depend on the OS, the size and position of the taskbar/dock/whatever, ... It's not much, but it adds a bit or two of data.

Custom sized ones make you easier to identify only if you don't change them.

zbjornson 3715 days ago

I've used it to automatically position auxillary windows adjacent to the main window in a data analysis application. I don't see how it reveals anything private about the user... my screen resolution and window location are not secrets to me.

catmanjan 3715 days ago

But they may be unique to you, making you more identifiable/trackable. The TOR browser warns you when resizing the window that it reduces privacy.

Personally I don't care either, just thought you might want to know!

hashmymustache 3715 days ago

But just because it's unique, why does it make it trackable? The overwhelming majority of devices have one of a few common display resolutions, so what's there to link across sessions for identifying users?

zodPod 3715 days ago

The idea is not that your resolution is unique it's that the maximized window size is unique. They can then track that you have more than one monitor, what size that monitor is, and, probably with some easy math, a jist of how many you have. That setup is probably a lot more unique than expected. That plus possibly some canvas finger printing or something similar could probably keep pretty good tabs on you. I have 3 identical 21 inch monitors and I'm browsing on the left-most monitor. Anyone else have that same setup?

empath75 3715 days ago

Just out of curiosity, what can someone do with this information?

nommm-nommm 3715 days ago

Create a unique fingerprint for your browser used to track you through the web.

startling 3715 days ago

Correlate your visits across unrelated websites.

sleepychu 3715 days ago

How do you know the coordinates are absolute?

It seems like the child windows are 'special', perhaps the web page can obtain the relative coordinates of these child panels?

Cpoll 3715 days ago

It's using window.screenY (and screenX, of course,) which gives absolute coordinates. https://developer.mozilla.org/en-US/docs/Web/API/Window/scre...

I don't think the method you're describing exists. If you want child coordinates relative to parent coordinates, you would use both the parent and child's absolute coordinates.

sleepychu 3715 days ago

Thanks to you (and others who've provided this information), so I guess my question now is what is the privacy leak described. I understand that the browser is confessing information about the machine to the web page but I don't understand why that represents a private piece of information. I feel like the information about where the window is located on the screen is useful for implementation and I can't think what it says about me as a user.

nommm-nommm 3715 days ago

Nothing on its own. However it is one of the pieces of information used to create a unique fingerprint for your browser which can be used to track you as you travel across the web. IIRC Tor browser recommends never resizing the window from the browser's default window size.

softawre 3715 days ago

https://github.com/Valve/fingerprintjs2

21 3715 days ago

Go to https://jsfiddle.net/hj697tbg/ and move the window around for a demo.

helb 3715 days ago

You can get absolute position of windows or even mouse cursor without any "child window magic": http://codepen.io/anon/pen/pyVYvb