sereneblue / chameleon Goto Github PK

It would be more logical if the other referer option are disabled when you check the disable referer option. Like greying out the text and making it impossible to check/modify them while the disable option is checked.
It would also make it easier to understand what they're doing to new user.

Spoof the oscpu, platform, hardwareConcurrency. On browserleaks:

Add support for options to whitelisted urls.

#21 Added the possibility to set a timezone, however reading on random-agent-spoofer bugtracker, it seems that there are several places where timezone has to be changed. I couldn't understand whether chameleon does that, hence my ticket. If chameleon hasn't that implemented probably it would be good adding such enhancement?

From: dillbyrne/random-agent-spoofer#66

"Currently only the time zone offset is spoofed.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toGMTString
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toLocaleDateString"

"Some date integer functions were originally included in the spoofing but they were dropped as they were causing page timeouts. Date locale strings will need to be set using the language headers for all the spoffed attributes to match. The selection of the time zone abbreviation is currently randomly selected when a timezone has been chosen. This could be improved to allow users to select the abbreviation in addition to the timezone."

"Time based fuctions such as getHours() need to be spoofed in such a way as to not break functionality like the previous version. Moving the date/time spoofing logic into the inject script will probably address the breakage as the functions will return updated but spoofed data each time they are called."

Does chameleon changes

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toGMTString

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toLocaleDateString

?

Hello,
First off thank you so much for reviving this addon, I missed it!

I'm currently having problems adding a whitelist for youtube.
My current whitelist is:

[ {"url": "youtube.com"}, {"url": "www.youtube.com"} ]

I tried whitelisting the base domain and WWW but whenever I use a chrome user agent the site still fails to load.
I'm unsure if this my mistake or if there is a problem with the extension. Hope someone can help, thanks.

FF 60 is the new esr release and will be around for a long time, therefore I think it would be great having it in the list of browsers.

Seems the user agent causes some issues with Youtube.

dillbyrne/random-agent-spoofer#306

Hi, thanks for the hard work on the extension.
Would it be possible to add an option to allow or remove the notifications ?
Despite having fixed the user-agent, I have a notification every minute or so, which is annoying.

Thanks.

It would be great to have a wiki similar to the one of RAS which would explain what each option does.
It would make it easier for new user to use chameleon.

And it's great that you made a port of RAS ! :)

Hi,

first of all: huge thanks for this addon. The first that is technically able to replace RAS ;)

The only thing I missed was the ability to exclude some UAs. E.g. I only want to use desktop Firefox UAs for Windows & Linux (I had issues with some sites if they think I use Chrome).

Offtopic: RAS implemented profiles. All values (e.g. screen resolution, UA, x-forwarded-for) were changed periodically. So X-Forwarded-For followed was not changed for every image & request, but it followed the rule specified under "change periodically" and used the same entries until the period was over. Is Chameleon following this, too, or are all values changed for every single header request?

Offtopic2: X Origin Policy: this works great, but of course Chameleon can only implement it itself without changing the about:config setting. Maybe some tooltip should show that the about:config setting should be the default value, otherwise Chameleon has no chance and the setting in Chameleon takes no effect. Unfortunately, we don't get an WexExtension API ( https://bugzilla.mozilla.org/show_bug.cgi?id=1414078 ). However, it might get easier to get the "base domain" with this one: https://bugzilla.mozilla.org/show_bug.cgi?id=1315558

There is still a way to read screen size even if spoofing is enabled in C.:
https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html

hi !
thanks for the hard work on this extension.

I've visited https://amiunique.org/fp to check my new spoofed profile and when I check the details of the fingerprint, this site still gets the below correctly

• screen size, despite the spoofing I've activated
• platfrm (I expected this would be impacted by the user agent sent)

Am I expecting too much ?
GLLM

Right now if you want to use a custom agent you are limited to one.
It would be great if you could add more than one (with a "+" icon) and to have like: custom agent #1, custom agent #2 and so on. It would give more flexibility to users.

Hi @sereneblue

I use web.whatsapp.com daily and I found out that Chameleon breaks the site :the QR code flashes and then disappear.
Thanks to trials & errors, I spotted the guilty setting : Resist fingerprinting.

I had to disable it in order to get my QR code properly.
Thanks

Headers and window properties aren't spoofed.

I'm enjoying this Chameleon ++ new successor of RAS
Hopefully you can also migrate the screen resolution spoofing soon :)

Hi

Add an option to "Change Profile Now" would be nice so that you dont need to switch back and forth to one of the Profiles

Thanks
GLLM

On pressing the "+":

FF ESR 60 64 bits on W7 - Chameleon 0.8.16

For modifying screen size spoofing, just letting script injection checked and selecting an other screen size doesn't work. In doing that the true size of your screen just leaks.

In order modifying screen size works, one has to 1) uncheck script injection 2) select the new spoofed screen size ) check script injection again (verification and testing made on http://ip-check.info/ and https://browserleaks.com/javascript).

It would be far more convenient no to have to uncheck an then recheck script injection, and to just have to selecting new spoofed screen size.

Hello,

First let me say thanks for picking up where RAS left off, at least I hope this is where this project is going, to be the RAS replacement for future Firefox versions?

For the Misc Options and Reporting Options can you please make this so we can Toggle them on and off in the Add-On? It's a pain to have to go into about:config when something needs to be changed which can be often, because you know, some of these will break website function, so we need a faster way with the ability to toggle on/off.

Also, I don't see there is the ability at present to tell which Profile you are using unless you simply pay attention at the Notification when starting Firefox. It would be really nice if you could please make a Mouse Over notification, when you place your mouse on the Chameleon icon, there will be a popup displayed, how RAS works, showing the Profile you are on.

Thank you for your time and consideration, I hope you can please make these changes in the near future!

First of all, thank you for reviving this addon. Most addons that spoof your client only spoof the user agent string, which is not enough. There are many other parameters that can be used to fingerprint you, so a more comprehensive addon is necessary.

Under "Options", "Script Injection Options", I have selected "Enable Script Injection". Then, For "Screen size spoofing" I have selected 1920x1080 (a very common screen size).
Then when I go to
https://whoer.net/#extended
it reports that both my screen and window size are 1430 x 1760, which happens to be the window size at this moment. That differs from the setting I chose.

[the same screen size is shown when I use http://mybrowserinfo.com/detail.asp]

is support for other browsers planned? sadly blink seems to lead on the market, so there is big potential user base there.

Hi !

since the devs is quite fast to react, I take advantage of it :

adding a URL to the whitelist should be simpler :

• today, the user has to type {["url","actual_url]} ...
• ideally, the user adds the url and select in a drop down list whatever whitelist category he may chose : url, ...
  at the moment I believe one can only add urls ... so why not enabling this by having the user input one url per line (myabe with a comma at the end of the lnie, for parsing sake) ?

Thanks !
GLLM

Disabling websockets or window.name breaks certain sites, therefore it would be helpful if whitelisting could be used to disable all Chameleon features, including those on the script injection tab. Currently this does not seem to be the case.

This add-on is amazing. An official privacy policy would be comforting.

Also, you should consider adding some sort of donation link. Thank you.

addon not working on Firefox 55.0.3
need fix

Right now you must fill in a custom profile form to use as the whitelist profile. It would be very convenient to have a radio button "Use Real Profile" and another below "Use Custom Profile". This would be perfect if you would rather use your real profile and not have to fill out the form to create a custom whitelist profile.

Also, if you are using your real profile as your whitelist profile, when your browser or system is updated, your whitelist profile is updated as well. You don't have to change the whitelist custom profile fields to match your real profile.

Thanks for the great add-on!

Right now if I want to exclude from the random selection all browsers on Linux I need to toggle several boxes. Same thing if I would like to exclude non-Windows browsers.

It would be handy having a toggle box next to each platform that would automatically toggle/untoggole all the boxes of such platform.

Sadly after activating chameleon my Gesturify gestures stopped working.
Probably related to screen size spoofing.
Any way to fix this ?

Hello. Can you add the time zone change function?

Surely this will help avoid pattern recognition. Hopefully this can be a truly random number within a configurable range and not just a random choice from the existing periods.

Thank you for bringing this to Quantum; missing RAS was probably the biggest of my update gripes so your work is very much appreciated.

The built-in user agent options do spoof these, but you're not able to do so with a custom user agent, making the option somewhat worthless as can be seen on a site like ip-check.info where your real OS is easily detected with a custom UA. These options should be manually spoofable.

Also it would be a good idea to add in user agent options for TorBrowser on various OSes, as it has caused an uproar with its refusal to spoof user agents anymore and will likely drive some users to your project looking to spoof different versions of it.

even tho i have unticked/unchecked the option for enable tracking protection under options -> standard options. which is enabled by default!

in my Firefox preferences -> privacy & security -> tracking protection
it states that An extension, Chameleon, is controlling tracking protection.

issue is that i dont want Chameleon to control or even interfere with my tracking protection settings.

help is appreciated!

thanks in advance
cin

Currently iamunique.org is able to detect whether the user is using adblock or not, and chameleon can't protect against it. Since the use of adblockers despite being popular, is not that widespread overall, it would be good being able to mask its use.

I have no idea (as the test doesn't tells that) how they do that and/if they use any specify adblocker for the test.

For reference the most popular adblockers (according to their websites' stats) are:

Adblock Plus (+11m users) and Ublock Orign (+4.5m users) on Firefox

and

Adblock (+10m users) and Adblock Plus (+10m users) on Chrome.

Right now if you export the settings no timestamp is used, which means it is impossible telling when they were exported unless you manually edit them. Many addons that let you export their settings (i can name PrivacyBadger and Tab Session Manager) add the date to the name of the exported file containing the settings. This is very useful and I would like to request such thing in chameleon too.

Hi, first of all thank you very much for your work on chamelon! I would like to request adding new languages to be used to fake the locale, namely: Arabic,Hindi,Indonesian, and Portuguese-BR, these are languages spoken by tens of millions if not hundreds, of people and many users online speak them.

It's possible to bypass this addon:

https://browserleaks.com/javascript

Click in the iframe.contentWindow tab.

Check this issue for a possible fix.

A notification is displayed every time a profil is switched. RAS used to have an option to disable this but I can't manage to find it with chameleon.
Is it possible to add it ?
Thanks !

Some other apps like noScript, uBlock origin or uMatrix complete very well chameleon. And they have one common point with chameleon : they all frequently break websites pages.
With uMatrix and uBlock, it is possible to display on the icon the number of blocked request. So, if a domain is broken, I can guess which app is in cause and give some supplementary authorisation.

So it could be interesting to have a tab with the list of everything the website tried to do and the possibility to give temporary permission (until the end of the session). Maybe also the data et received (referer, user-agent…). Anything which could allow the user to know if the website is broken because of this app or anothe one and to find the good parameters.

First of all thanks again for your dedication on the project! (3 of my feature requested closed in a few hours, wow!).

This is could be a question more than a feature request as I don't know what's the status of the issue.

It was originally reported on the bug tracker of random-agent-spoofer (here: dillbyrne/random-agent-spoofer#104) in 2014. As the original developer never closed the issue, it made me wonder whether the issue is still present in chameleon. If yes it would be great having it fixed.

The original comment from Lizatoj is:
"I found a bug - the spoofing of the window size is not working.
version from github: 0.9.4.3
Firefox: 31.3 esr
How to test:
Set a random window size in RAM
Check if that works here: ip-check.info (really good free site to check your privacy)
Result:
Window size cannot be set by RAM"

dillbyrne 's answer:
"Hello lizatoj Thanks for your bug report and your support. I am aware of this issue. Currently RAS spoofs the screen size by presenting spoofed javascript values to the site which then queries them and takes the spoofed results as if they are the real values. It used to work on that site in the past.

What is happening now in the case of this site is that it uses a "fontHack" to get the screen size and not the spoofed javascript values we are presenting . I am still looking for a way to block or spoof the "fontHack". I have not had a chance to properly look into it because I have been so busy but I plan to. If you happen to know a way to defeat it please let me know and I will add it."

Is chameleon immune to this?

Hi,

Using chameleon on Firefox 61 on archlinux, I can't watch any netflix video because I get the F7121-1331-P7 error code. As soon as I disable the extension, netflix works again.

Any idea how to prevent this: https://browserleaks.com/rects
There seems to be a partial fix; make sure you read the comment at the linked page by "Developer".

I'll let the screenshots from amiunique.org and doileak.com explain.
This is before I've enabled chameleon.

This is after I enable Chameleon with only a custom user agent (Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0), protecting window.name (what does i do?), and screen size spoofing.

I didn't want to change my browser name and the operating system but it seems that Chameleon does it for me. This behaviour increases my fingerprint uniqueness rather than decreasing it.

Please fix this unexpected behaviour.

Thanks for the awesome add-on.

I have several computers on which I use Chameleon.
I have one on which all site works, another on which it does not.

It would be simpler for me to be able to export / reimport settings rather that checking both aside !

Export to XML files sound cool !

Thanks

Tested on https://browserleaks.com/javascript:

just saw your update on user agents. This are not real everyday values. Could you please integrate the list on https://techblog.willshouse.com/2012/01/03/most-common-user-agents/ (automatically updated there, why no 'update'-button cloning those values in the application?). btw: look at the percentage-rating there, this could also be a good hint for making your browser-user-agent-fingerprint even more generic.

Currently amiunique.org can detect WebGL Vendor and WebGL Renderer even when using chameleon. It can even detect whether you are running in virtualmachine or not. Could you add support for such protection? Thank you very much.

About WebGL Vendors:
-NVIDIA Corporation
-AMD (Not sure about the exact naming)
-VMware Inc. (for virtual machines)

About WebGL Renderers:
-EVGA GeForce GTX 1070
-EVGA GeForce GTX 1060
-EVGA GeForce GTX 1080
-EVGA GeForce GTX 1050
-EVGA GeForce GTX 960
-EVGA GeForce GTX 1050 Ti

Data from Amazon UK and US best sellers (for no. of revies) and https://store.steampowered.com/hwsurvey/videocard/

I experience problems streaming videos.
As soon as I click on the video to pause instead of pausing with the space bar, or trying to skip forward with the mouse instead of the arrow buttons on the keyboard the playback stops.
Movpod won't even play but displays a cross with an error message.
Many other sites have the same problem. These are just two examples I came across this morning when I had enough of this.

Error message is "A network error caused the media download fail part-way".

I removed the extension and the problem is gone.
For now I reinstalled the old Random Agent Spoofer 0.9.5.6 to solve the issues I have.

See images below for reference:

Openload

Backup link: https://cdn.pbrd.co/images/Hu9wiE3.png

movpod

Backup link: https://cdn.pbrd.co/images/Hu9wfv3.png

Hello,
If I go here : http://www.useragents.com/, the real user agent is displayed, even if script injection is enabled.

On panopticlick, the user agent is spoofed, but it still detect the real OS if script injection is disabled. This is not an issue by itself, but under the “enable script injection“ option, I can read “An option with * requires script injection“. And the “Profile” tab don’t display any “*”. You should indicate that this option require script injection until it can work without it.