Ability to​ modify JS objects

[offhub]

Is it possible to spoof JS objects with uMatrix?

[gorhill]

Tampermonkey?

[offhub]

Sorry, i wasn't clear.
We can spoof user agent header with randomly selected string but navigator values stays unchanged. Shouldn't it also spoof the navigator values?

[gorhill]

You have a test case I can use to reproduce? A URL?

[offhub]

http://browserspy.dk/useragent.php

[gorhill]

This used to work. I fixed a problem with the messaging code, but it still broken. I can't make sense why, as using tracing code I can see that the spoofed navigator is correctly inserted, but for I don't know what reason, the old one is not being replaced. I will investigate more tomorrow.

[gorhill]

Chromium issue:

Window.navigator is immutable, did not used to be

I would like to understand the explanation (or "explanation") behind this change...

I invite the users to star this Chromium issue (there is a star to the left of the issue number), not sure it will do something, but if only to show people care about features which enhance privacy. I really need to have a Firefox version of uMatrix, this is what happens when we depend on one single browser.

[gorhill]

So currently, UA spoofing is rendered rather useless, unless one disable javascript by default, which is not a very realistic workaround.

Edit: Actually, blacklisting globally XHR while leaving 1st-party javascript whitelisted can also work to defeat browser sniffing. Along with block-all/allow-exceptionally, this is not too bad.

[ghost]

You mean navigator.userAgent cannot be spoofed? Damn, and I just
adjusted some userscripts to use that instead of their own hardcoded
strings, because that solved TamperMonkey getting the extension
conflict due to my other add-on setting the UA.

On 11/20/14, Raymond Hill notifications@github.com wrote:

So currently, UA spoofing is rendered rather useless, unless one disable
javascript by default, which is not a very realistic workaround.

---

Reply to this email directly or view it on GitHub:
#61 (comment)

[gorhill]

You mean navigator.userAgent cannot be spoofed?

Not anymore. It definitely used to work, but this was changed for I don't know why. Your other add-on will also not be able to overwrite navigator.userAgent. You can check with above-mentioned Browserspy link.

[eduardoeae]

Actually, Chameleon extension do accomplish this. https://github.com/ghostwords/chameleon

User Agent from JavaScript Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0

[gorhill]

@eduardoeae You're right, it works. Looking at the code, I see it defines getters for each property, while on my side I try to replace wholesome the window.navigator property. What Chameleon does is certainly better than what I tried to do in uMatrix. I will ask the author if he wishes to contribute his UA-spoofing code to uMatrix.

So it's as if the navigator property on the window object itself cannot be changed, however it's possible to set up getters on the window.navigator object to override the existing properties.

[gorhill]

Just adding one line to define a getter fixes the issue. I will stick with that, importing directly from Chameleon looks like would be way too much work.

When I wrote that code a long time ago I had never looked into getters. I started to use a getter() with uDom and found this pretty cool. Using getters for UA-spoofing is definitely the better approach, that will simplify the code I had written a long time ago.

I never stop learning.