JavaScript Restrictor
Browser extension that improves privacy and security
wrappingS-XR.js File Reference

This file contains wrappers for the current Virtual/Augmented Reality API (WebXR) More...

Detailed Description

This file contains wrappers for the current Virtual/Augmented Reality API (WebXR)

See also
https://developer.mozilla.org/en-US/docs/Web/API/WebXR_Device_API
https://immersive-web.github.io/webxr/
Author
Copyright (C) 2021 Libor Polcak
License:
SPDX-License-Identifier: GPL-3.0-or-later

navigator.xr allows any page script to learn the VR displays attached to the computer and more.

U. Iqbal, S. Englehardt and Z. Shafiq, "Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors," in 2021 2021 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, US, 2021 pp. 283-301 observed (https://github.com/uiowa-irl/FP-Inspector/blob/master/Data/potential_fingerprinting_APIs.md) that the orginal WebVR API is used in the wild to fingerprint users. As it is likely that only a minority of users have a VR display connected and the API provides additional information on the HW, it is likely that users with a VR display connected are easily fingerprintable.

As all the API calls are accessible through the navigator.xr API, we provide a single mitigation. We disable the API completely. This might need to be revised once this API is commonly enabled in browsers.