#83 FPD breaks Gitlab browser check even when it is passive
Opened 2 years ago by wiggum. Modified a year ago


When trying to logon to Gitlab as a registered user, the login page loads correctly. However after entering usr/pwd and hitting enter, the page just sits there. Disabling the JShelter shields solves the issue.


Using Mozilla Firefox v104.0.1 x64.

Pages affected: https://gitlab.com/users/sign_in
JShelter Version: 0.11.1

Popup information (open JShelter popup on affected pages:

  1. Navigate to a page that you are having trouble with: [https://gitlab.com/users/sign_in]
  2. Click on the JShelter badge icon.
  3. Is JavaScript Shield active? [ON]
  4. Is Network Boundary Shield active? [ON]
  5. Is Fingerprint Detector active? [ON]
  6. What fingerprint likelihood does Fingerprint Detector report? None
  7. Did Fingerprint Detector produce any notifications, if so, what was the notification? (see below)
  8. Click on the Modify button next to the JavaScript Shield label. Default level (recommended)
  9. What is the highlighted level button text?
  10. Click on the Detail tweaks of JS shield for this site button.
  11. What wrappers were triggered by the page, list them below:

Time precision: 20
all other wrappers have count 0


OS: Win 7 x64
Browser: Mozilla Firefox v104.0.1
Other extensions that might affect JShelter behaviour:

How to reproduce

  1. [List steps to reproduce your issue ]
  2. ...
  3. ...

Expected result

Expected to be able to logon when filling out usr/pwd and hitting enter.

Actual result

When filling out usr/pwd and hitting enter, the page doesn't do anything




Disabling all shields solves the issue.

Have you tried other steps to solve the issue?


Full report of the detection:


Definition of fingerprinting behavior by FPD module.

Fingerprinting methods based on simple information gathering by accessing certain APIs.

Basic information about browser and system.
- Navigator.prototype.userAgent (17)
- Navigator.prototype.language (1)
- Navigator.prototype.platform (3)
- Navigator.prototype.product (9)

Information about features supported by mobile devices.
- Navigator.prototype.maxTouchPoints (1)

Localization details and keyboard layout.
- Date.prototype.getTimezoneOffset (1)

Information about screen and its properties.
- Screen.prototype.height (2)
- Screen.prototype.width (2)
- Screen.prototype.colorDepth (1)
- Screen.prototype.availWidth (1)

Information about screen from root Window object.
- window.devicePixelRatio (1)
- window.innerWidth (4)

Availability of WebStorage technology.
- window.localStorage (15)
- window.sessionStorage (1)
- window.indexedDB (1)

Binary browser settings.
- Navigator.prototype.doNotTrack (6)

Information about exact time values.
- Performance.prototype.now (5)
- Date.now (44)

Fingerprinting methods based on specific procedures, calculations or processing.

System fonts enumeration techniques.
- CanvasRenderingContext2D.prototype.font (2)

Extraction of rendered image from 2D canvas.
- CanvasRenderingContext2D.prototype.fillText (2)
- CanvasRenderingContext2D.prototype.fillStyle (7)
- HTMLCanvasElement.prototype.toDataURL (1)
- CanvasRenderingContext2D.prototype.getImageData (1)

Extraction of rendered image from WebGL canvas.
- HTMLCanvasElement.prototype.toDataURL (1)
- CanvasRenderingContext2D.prototype.getImageData (1)

APIs often abused for fingerprinting according to FP-Inspector study.
- Navigator.prototype.maxTouchPoints (1)
- Navigator.prototype.doNotTrack (6)
- CanvasRenderingContext2D.prototype.fillStyle (7)
- HTMLCanvasElement.prototype.toDataURL (1)
- CanvasRenderingContext2D.prototype.getImageData (1)
- CanvasRenderingContext2D.prototype.isPointInPath (1)
- CanvasRenderingContext2D.prototype.textBaseline (1)
- CanvasRenderingContext2D.prototype.globalCompositeOperation (1)
- CanvasRenderingContext2D.prototype.fillRect (1)
- CanvasRenderingContext2D.prototype.closePath (3)
- CanvasRenderingContext2D.prototype.beginPath (3)

I tried to reproduce the issue.

I was not logged to the gitlab and used the default JShelter configuration and Firefox.

  1. I opened https://gitlab.com/users/sign_in and the page "Checking your browser before accessing gitlab.com" appears, FPD detects a fingerprinting behaviour with high likelihood. The page refreshes every 5 seconds.
  2. I guess that Gitlab detects something strange with the browser and refuses to accept such user.
  3. I turned JSS off but it did not help.
  4. I turned FPD off and I was allowed to see the login page.

I needed to delete all cookies and the local storage to get back to the browser check page.

  1. I kept JSS on and deactivated just FPD.
  2. I was redirected to the login page.

The working result is that FPD breaks GitLab even in its passive behaviour.

Metadata Update from @polcak:
- Issue tagged with: broken page, research

a year ago

As a workaround disable FPD for Gitlab.

We need to investigate further the root issue.

Login to comment on this ticket.