Is there a site like ‘cover your tracks’ for showing that websites can see what extensions I have (as opposed to other fingerprinting)? Thank you 🙃
Not really, because AFAIK extension detection needs to be built on a per-extension basis.
Check this https://z0ccc.github.io/extension-detector/
But there is no easy way to detect all extensions, instead most popular ones. My Kiwi Browser on Android has only 2 extensions and only uBlock Origin was detected. Firefox won’t leak them at all.
This says it only detects chrome extensions, so I am not surprised it doesn’t detect your Firefox extensions. Why do you say that Firefox won’t leak extensions at all? Do you have a source for that?
Detecting extensions using web accessible resources is not possible on Firefox as Firefox extension ID’s are unique for every browser instance. Therefore the URL of the extension resources cannot be known by third parties.
and also for Chrome:
in manifest v3 extensions will be able to enable ‘use_dynamic_url’ option, which will change the resource URL for each session (browser restart). This will render this detection method unusable.
Though it should be noted that this method isn’t the only way to detect extensions.
Do you mean this issue is going to be solved only with mv3 implementation? That leaves other chromium browsers staying with both mv2 and mv3 with this issue unresolved…
Not really. But the site says it works only with chrome desktop, not firefox desktop. I have Kiwi installed and Firefox as well to test both, Firefox extensions were not detected.
The way it’s written doesn’t say whether it simply isn’t made to work for Firefox or whether it couldn’t be made to work for Firefox. Fortunately, the latter appears to be the case.
if you click read more, it mentions that it can’t be made to work with firefox
But there is no easy way to detect all extensions, instead most popular ones
It doesn’t really matter if its easy or hard, I’m sure Google already has automated processes in-place to detect all extensions published to the store and fingerprint browsers. They might even have the same for Firefox extensions, who knows.
This is actually a good point. It’s not just a proof of concept for one extension, either: it’s a proof of concept for a wide array of handpicked ones, and the script for it could easily be shrunken.
Ironic that Firefox protects your extensions better, considering Chrome Manifest V3 (the adblock killer) is locking down so much functionality.
I guess Google is too busy locking down the functionality that people want, than to lock down the functionality that would make people more secure.