Hi there,

I recently grew concerned about fingerprinting. What is that? It's sort of a uniquely-identified hash of a set of stable informations about your browser (and possibly your OS) that websites can access and store for tracking purposes. See Panopticlick, BrowserSpy and also the Mozilla wiki.

Given that fingerprinting methods often require browser plugins such as Flash or Java, a first step is to configure your browser to enable plugins on-demand and per-site. With plugins disabled, the second most important source of intel is JavaScript. NoScript helps a lot, but for third-party trackers only. I cannot always afford to disable JS on a site's main domain. Also, I know Tor is able to replace some of the browser's exposed values.
Actually I'm more interested with what we can do with Greasemonkey only. For science.

I'm currently focusing on two sources:

  • navigator.plugins
  • navigator.mimeTypes

Here is what I tried for now:

// @include   *
// @grant     none
// @run-at    document-start

Object.defineProperties(navigator, {
   'plugins': {
      configurable: false,
      enumerable: true,
      get: function() { return {}; },
      set: function() {}
   },
   'mimeTypes': {
      configurable: false,
      enumerable: true,
      get: function() { return {}; },
      set: function() {}
   },
});

I quickly noticed that it broke many of the sites I visit on a daily basis.
This is because maaany sites (including Youtube and most of gaming sites) use either one or both of these objects to check the presence and version of a required plugin. So I added @exclude rules, but this doesn't seem like a convenient solution. Implementing a (black|white)list feature would certainly do better, unless it becomes too cumbersome for the user. The ideal would be to be able to decide out, at runtime, between a real need for a given plugin and a retrieval for tracking purposes. But I doubt this is possible :P

I feel like cloaking JS-exposed browser values is something complicated, and requires fine tuning. So I'm opening this topic mainly as a zone for idea proposal and discussion. Maybe we'll eventually find out that Greasemonkey isn't suited to solve this problem, but I repeat, this is for science!

ATM I'm experimenting with Firefox' proxies. I keep you in tune with my results wery soon :)

Firefox has a hidden preference named plugins.enumerable_names that defaults to * meaning that websites can enumerate the entire plugins collection. You can edit this preference to limit what sites can find, which may make your browser appear less unique.

For example:

Open a tab to this test page to see what shows up in normal enumeration (keep open for later comparison): https://jeffersonscher.com/res/jstest.php

Then select and copy this string: Adobe Acrobat,Shockwave Flash,Silverlight Plug-In

In a new tab open about:config, double-click the plugins.enumerable_names preference, and paste that in place of the * and OK your change.

Then in a new tab, launch the test page again and compare the difference with the previous test results. The new page should only find the specified plugins using simple enumeration.

Re: @jscher2000:
Hmm, I don't see a way to edit that last post. Just to clarify, sites still can query the plugins connection by individual plugin name; this preference only affects the easiest way to gather the list.