#83 FPD breaks Gitlab browser check even when it is passive
Opened 2 years ago by wiggum. Modified 2 years ago

Summary

When trying to logon to Gitlab as a registered user, the login page loads correctly. However after entering usr/pwd and hitting enter, the page just sits there. Disabling the JShelter shields solves the issue.

Setup

Using Mozilla Firefox v104.0.1 x64.

Pages affected: https://gitlab.com/users/sign_in
JShelter Version: 0.11.1

Popup information (open JShelter popup on affected pages:

  1. Navigate to a page that you are having trouble with: [https://gitlab.com/users/sign_in]
  2. Click on the JShelter badge icon.
  3. Is JavaScript Shield active? [ON]
  4. Is Network Boundary Shield active? [ON]
  5. Is Fingerprint Detector active? [ON]
  6. What fingerprint likelihood does Fingerprint Detector report? None
  7. Did Fingerprint Detector produce any notifications, if so, what was the notification? (see below)
  8. Click on the Modify button next to the JavaScript Shield label. Default level (recommended)
  9. What is the highlighted level button text?
  10. Click on the Detail tweaks of JS shield for this site button.
  11. What wrappers were triggered by the page, list them below:

Time precision: 20
all other wrappers have count 0

[Optional:]

OS: Win 7 x64
Browser: Mozilla Firefox v104.0.1
Other extensions that might affect JShelter behaviour:

How to reproduce

  1. [List steps to reproduce your issue ]
  2. ...
  3. ...

Expected result

Expected to be able to logon when filling out usr/pwd and hitting enter.

Actual result

When filling out usr/pwd and hitting enter, the page doesn't do anything

Reproducibility

No

Workarounds

Disabling all shields solves the issue.

Have you tried other steps to solve the issue?

No

Full report of the detection:

FingerprintingActivity

Definition of fingerprinting behavior by FPD module.
BrowserProperties

Fingerprinting methods based on simple information gathering by accessing certain APIs.
NavigatorBasic

Basic information about browser and system.
- Navigator.prototype.userAgent (17)
- Navigator.prototype.language (1)
- Navigator.prototype.platform (3)
- Navigator.prototype.product (9)
NavigatorMobile

Information about features supported by mobile devices.
- Navigator.prototype.maxTouchPoints (1)
LocalizationInfo

Localization details and keyboard layout.
- Date.prototype.getTimezoneOffset (1)
ScreenInfo

Information about screen and its properties.
- Screen.prototype.height (2)
- Screen.prototype.width (2)
- Screen.prototype.colorDepth (1)
- Screen.prototype.availWidth (1)
WindowInfo

Information about screen from root Window object.
- window.devicePixelRatio (1)
- window.innerWidth (4)
StorageInfo

Availability of WebStorage technology.
- window.localStorage (15)
- window.sessionStorage (1)
- window.indexedDB (1)
NavigatorFlags

Binary browser settings.
- Navigator.prototype.doNotTrack (6)
TimeInfo

Information about exact time values.
- Performance.prototype.now (5)
- Date.now (44)
AlgorithmicMethods

Fingerprinting methods based on specific procedures, calculations or processing.
FontsEnumFingerprint

System fonts enumeration techniques.
- CanvasRenderingContext2D.prototype.font (2)
CanvasFingerprint

Extraction of rendered image from 2D canvas.
- CanvasRenderingContext2D.prototype.fillText (2)
- CanvasRenderingContext2D.prototype.fillStyle (7)
- HTMLCanvasElement.prototype.toDataURL (1)
- CanvasRenderingContext2D.prototype.getImageData (1)
WebGLFingerprint

Extraction of rendered image from WebGL canvas.
- HTMLCanvasElement.prototype.toDataURL (1)
- CanvasRenderingContext2D.prototype.getImageData (1)
CrawlFpInspector

APIs often abused for fingerprinting according to FP-Inspector study.
- Navigator.prototype.maxTouchPoints (1)
- Navigator.prototype.doNotTrack (6)
- CanvasRenderingContext2D.prototype.fillStyle (7)
- HTMLCanvasElement.prototype.toDataURL (1)
- CanvasRenderingContext2D.prototype.getImageData (1)
- CanvasRenderingContext2D.prototype.isPointInPath (1)
- CanvasRenderingContext2D.prototype.textBaseline (1)
- CanvasRenderingContext2D.prototype.globalCompositeOperation (1)
- CanvasRenderingContext2D.prototype.fillRect (1)
- CanvasRenderingContext2D.prototype.closePath (3)
- CanvasRenderingContext2D.prototype.beginPath (3)


I tried to reproduce the issue.

I was not logged to the gitlab and used the default JShelter configuration and Firefox.

  1. I opened https://gitlab.com/users/sign_in and the page "Checking your browser before accessing gitlab.com" appears, FPD detects a fingerprinting behaviour with high likelihood. The page refreshes every 5 seconds.
  2. I guess that Gitlab detects something strange with the browser and refuses to accept such user.
  3. I turned JSS off but it did not help.
  4. I turned FPD off and I was allowed to see the login page.

I needed to delete all cookies and the local storage to get back to the browser check page.

  1. I kept JSS on and deactivated just FPD.
  2. I was redirected to the login page.

The working result is that FPD breaks GitLab even in its passive behaviour.

Metadata Update from @polcak:
- Issue tagged with: broken page, research

2 years ago

As a workaround disable FPD for Gitlab.

We need to investigate further the root issue.

Log in to comment on this ticket.

Metadata