wrappingS-GP.js File Reference

This file contains wrappers for the Gamepad API. More...

Functions
	if (doNoise===true)

Variables
var	doNoise = args[1]
var	pastValues = {}
var	wrappers

Detailed Description

This file contains wrappers for the Gamepad API.

See also

https://w3c.github.io/gamepad/

Author

Copyright (C) 2021 Libor Polcak

License:

SPDX-License-Identifier: GPL-3.0-or-later

navigator.getGamepads() allows any page script to learn the gampepads connected to the computer if the feature is not blocked by the Feature-Policy.

U. Iqbal, S. Englehardt and Z. Shafiq, "Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors," in 2021 2021 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, US, 2021 pp. 283-301 observed (https://github.com/uiowa-irl/FP-Inspector/blob/master/Data/potential_fingerprinting_APIs.md) that the interface is used in the wild to fingerprint users. As it is likely that only a minority of users have a gamepad connected and the API provides additional information on the HW, it is likely that users with a gamepad connected are easily fingerprintable.

As we expect that the majority of the users does not have a gamepad connected, we provide only a single mitigation - the wrapped APIs returns an empty list.

Bug:

The standard provides an event gamepadconnected and gamepaddisconnected that fires at least on the window object. We do not mitigate the event to fire and consequently, it is possible that an adversary can learn that a gamepad was (dis)connected but there was no change in the result of the navigator.getGamepads() API.

The gamepad representing object carries a timestamp of the last change of the gamepad. As we allow wrapping of several ways to obtain timestamps, we need to provide the same precision for the Gamepad object.

Function Documentation

if()

if

(

doNoise = == true

)

Variable Documentation

doNoise

var doNoise = args[1]

pastValues

var pastValues = {}

wrappers

var wrappers