sereneblue / chameleon Goto Github PK
View Code? Open in Web Editor NEWWebExtension port of Random Agent Spoofer
Home Page: https://sereneblue.github.io/chameleon
License: GNU General Public License v3.0
WebExtension port of Random Agent Spoofer
Home Page: https://sereneblue.github.io/chameleon
License: GNU General Public License v3.0
Right now you must fill in a custom profile form to use as the whitelist profile. It would be very convenient to have a radio button "Use Real Profile" and another below "Use Custom Profile". This would be perfect if you would rather use your real profile and not have to fill out the form to create a custom whitelist profile.
Also, if you are using your real profile as your whitelist profile, when your browser or system is updated, your whitelist profile is updated as well. You don't have to change the whitelist custom profile fields to match your real profile.
Thanks for the great add-on!
Hi,
Using chameleon on Firefox 61 on archlinux, I can't watch any netflix video because I get the F7121-1331-P7 error code. As soon as I disable the extension, netflix works again.
is support for other browsers planned? sadly blink seems to lead on the market, so there is big potential user base there.
There is still a way to read screen size even if spoofing is enabled in C.:
https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
First of all, thank you for reviving this addon. Most addons that spoof your client only spoof the user agent string, which is not enough. There are many other parameters that can be used to fingerprint you, so a more comprehensive addon is necessary.
Under "Options", "Script Injection Options", I have selected "Enable Script Injection". Then, For "Screen size spoofing" I have selected 1920x1080 (a very common screen size).
Then when I go to
https://whoer.net/#extended
it reports that both my screen and window size are 1430 x 1760, which happens to be the window size at this moment. That differs from the setting I chose.
[the same screen size is shown when I use http://mybrowserinfo.com/detail.asp]
I have several computers on which I use Chameleon.
I have one on which all site works, another on which it does not.
It would be simpler for me to be able to export / reimport settings rather that checking both aside !
Export to XML files sound cool !
Thanks
FF ESR 60 64 bits on W7 - Chameleon 0.8.16
For modifying screen size spoofing, just letting script injection checked and selecting an other screen size doesn't work. In doing that the true size of your screen just leaks.
In order modifying screen size works, one has to 1) uncheck script injection 2) select the new spoofed screen size ) check script injection again (verification and testing made on http://ip-check.info/ and https://browserleaks.com/javascript).
It would be far more convenient no to have to uncheck an then recheck script injection, and to just have to selecting new spoofed screen size.
Checking "protect window.name" and enabling script injection make me my browser remain stuck on the homepage of http://ip-check.info, without being able to go to the results page (and to check whether the protection has worked or not).
Some other apps like noScript, uBlock origin or uMatrix complete very well chameleon. And they have one common point with chameleon : they all frequently break websites pages.
With uMatrix and uBlock, it is possible to display on the icon the number of blocked request. So, if a domain is broken, I can guess which app is in cause and give some supplementary authorisation.
So it could be interesting to have a tab with the list of everything the website tried to do and the possibility to give temporary permission (until the end of the session). Maybe also the data et received (referer, user-agent…). Anything which could allow the user to know if the website is broken because of this app or anothe one and to find the good parameters.
First of all thanks again for your dedication on the project! (3 of my feature requested closed in a few hours, wow!).
This is could be a question more than a feature request as I don't know what's the status of the issue.
It was originally reported on the bug tracker of random-agent-spoofer (here: dillbyrne/random-agent-spoofer#104) in 2014. As the original developer never closed the issue, it made me wonder whether the issue is still present in chameleon. If yes it would be great having it fixed.
The original comment from Lizatoj is:
"I found a bug - the spoofing of the window size is not working.
version from github: 0.9.4.3
Firefox: 31.3 esr
How to test:
Set a random window size in RAM
Check if that works here: ip-check.info (really good free site to check your privacy)
Result:
Window size cannot be set by RAM"
dillbyrne 's answer:
"Hello lizatoj Thanks for your bug report and your support. I am aware of this issue. Currently RAS spoofs the screen size by presenting spoofed javascript values to the site which then queries them and takes the spoofed results as if they are the real values. It used to work on that site in the past.
What is happening now in the case of this site is that it uses a "fontHack" to get the screen size and not the spoofed javascript values we are presenting . I am still looking for a way to block or spoof the "fontHack". I have not had a chance to properly look into it because I have been so busy but I plan to. If you happen to know a way to defeat it please let me know and I will add it."
Is chameleon immune to this?
Seems the user agent causes some issues with Youtube.
Sadly after activating chameleon my Gesturify gestures stopped working.
Probably related to screen size spoofing.
Any way to fix this ?
It would be great to have a wiki similar to the one of RAS which would explain what each option does.
It would make it easier for new user to use chameleon.
And it's great that you made a port of RAS ! :)
Hi, thanks for the hard work on the extension.
Would it be possible to add an option to allow or remove the notifications ?
Despite having fixed the user-agent, I have a notification every minute or so, which is annoying.
Thanks.
This add-on is amazing. An official privacy policy would be comforting.
Also, you should consider adding some sort of donation link. Thank you.
even tho i have unticked/unchecked the option for enable tracking protection under options -> standard options. which is enabled by default!
in my Firefox preferences -> privacy & security -> tracking protection
it states that An extension, Chameleon, is controlling tracking protection.
issue is that i dont want Chameleon to control or even interfere with my tracking protection settings.
help is appreciated!
thanks in advance
cin
Hello,
First let me say thanks for picking up where RAS left off, at least I hope this is where this project is going, to be the RAS replacement for future Firefox versions?
For the Misc Options
and Reporting Options
can you please make this so we can Toggle them on and off in the Add-On? It's a pain to have to go into about:config when something needs to be changed which can be often, because you know, some of these will break website function, so we need a faster way with the ability to toggle on/off.
Also, I don't see there is the ability at present to tell which Profile you are using unless you simply pay attention at the Notification when starting Firefox. It would be really nice if you could please make a Mouse Over
notification, when you place your mouse on the Chameleon icon, there will be a popup displayed, how RAS works, showing the Profile you are on.
Thank you for your time and consideration, I hope you can please make these changes in the near future!
It would be more logical if the other referer option are disabled when you check the disable referer option. Like greying out the text and making it impossible to check/modify them while the disable option is checked.
It would also make it easier to understand what they're doing to new user.
Any idea how to prevent this: https://browserleaks.com/rects
There seems to be a partial fix; make sure you read the comment at the linked page by "Developer".
Currently iamunique.org is able to detect whether the user is using adblock or not, and chameleon can't protect against it. Since the use of adblockers despite being popular, is not that widespread overall, it would be good being able to mask its use.
I have no idea (as the test doesn't tells that) how they do that and/if they use any specify adblocker for the test.
For reference the most popular adblockers (according to their websites' stats) are:
Adblock Plus (+11m users) and Ublock Orign (+4.5m users) on Firefox
and
Adblock (+10m users) and Adblock Plus (+10m users) on Chrome.
hi !
thanks for the hard work on this extension.
I've visited https://amiunique.org/fp to check my new spoofed profile and when I check the details of the fingerprint, this site still gets the below correctly
Am I expecting too much ?
GLLM
Right now if you export the settings no timestamp is used, which means it is impossible telling when they were exported unless you manually edit them. Many addons that let you export their settings (i can name PrivacyBadger and Tab Session Manager) add the date to the name of the exported file containing the settings. This is very useful and I would like to request such thing in chameleon too.
Hi @sereneblue
I use web.whatsapp.com daily and I found out that Chameleon breaks the site :the QR code flashes and then disappear.
Thanks to trials & errors, I spotted the guilty setting : Resist fingerprinting.
I had to disable it in order to get my QR code properly.
Thanks
Hi
Add an option to "Change Profile Now" would be nice so that you dont need to switch back and forth to one of the Profiles
Thanks
GLLM
just saw your update on user agents. This are not real everyday values. Could you please integrate the list on https://techblog.willshouse.com/2012/01/03/most-common-user-agents/ (automatically updated there, why no 'update'-button cloning those values in the application?). btw: look at the percentage-rating there, this could also be a good hint for making your browser-user-agent-fingerprint even more generic.
I'm enjoying this Chameleon ++ new successor of RAS
Hopefully you can also migrate the screen resolution spoofing soon :)
Hello. Can you add the time zone change function?
FF 60 is the new esr release and will be around for a long time, therefore I think it would be great having it in the list of browsers.
Hi, first of all thank you very much for your work on chamelon! I would like to request adding new languages to be used to fake the locale, namely: Arabic,Hindi,Indonesian, and Portuguese-BR, these are languages spoken by tens of millions if not hundreds, of people and many users online speak them.
Hi !
since the devs is quite fast to react, I take advantage of it :
adding a URL to the whitelist should be simpler :
Thanks !
GLLM
Add support for options to whitelisted urls.
Surely this will help avoid pattern recognition. Hopefully this can be a truly random number within a configurable range and not just a random choice from the existing periods.
Thank you for bringing this to Quantum; missing RAS was probably the biggest of my update gripes so your work is very much appreciated.
I experience problems streaming videos.
As soon as I click on the video to pause instead of pausing with the space bar, or trying to skip forward with the mouse instead of the arrow buttons on the keyboard the playback stops.
Movpod won't even play but displays a cross with an error message.
Many other sites have the same problem. These are just two examples I came across this morning when I had enough of this.
Error message is "A network error caused the media download fail part-way".
I removed the extension and the problem is gone.
For now I reinstalled the old Random Agent Spoofer 0.9.5.6 to solve the issues I have.
See images below for reference:
Backup link: https://cdn.pbrd.co/images/Hu9wiE3.png
Backup link: https://cdn.pbrd.co/images/Hu9wfv3.png
Hello,
First off thank you so much for reviving this addon, I missed it!
I'm currently having problems adding a whitelist for youtube.
My current whitelist is:
[ {"url": "youtube.com"}, {"url": "www.youtube.com"} ]
I tried whitelisting the base domain and WWW but whenever I use a chrome user agent the site still fails to load.
I'm unsure if this my mistake or if there is a problem with the extension. Hope someone can help, thanks.
A notification is displayed every time a profil is switched. RAS used to have an option to disable this but I can't manage to find it with chameleon.
Is it possible to add it ?
Thanks !
Disabling websockets or window.name breaks certain sites, therefore it would be helpful if whitelisting could be used to disable all Chameleon features, including those on the script injection tab. Currently this does not seem to be the case.
I'll let the screenshots from amiunique.org and doileak.com explain.
This is before I've enabled chameleon.
This is after I enable Chameleon with only a custom user agent (Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0), protecting window.name (what does i do?), and screen size spoofing.
I didn't want to change my browser name and the operating system but it seems that Chameleon does it for me. This behaviour increases my fingerprint uniqueness rather than decreasing it.
Please fix this unexpected behaviour.
Thanks for the awesome add-on.
Hello,
If I go here : http://www.useragents.com/, the real user agent is displayed, even if script injection is enabled.
On panopticlick, the user agent is spoofed, but it still detect the real OS if script injection is disabled. This is not an issue by itself, but under the “enable script injection“ option, I can read “An option with * requires script injection“. And the “Profile” tab don’t display any “*”. You should indicate that this option require script injection until it can work without it.
Right now if I want to exclude from the random selection all browsers on Linux I need to toggle several boxes. Same thing if I would like to exclude non-Windows browsers.
It would be handy having a toggle box next to each platform that would automatically toggle/untoggole all the boxes of such platform.
#21 Added the possibility to set a timezone, however reading on random-agent-spoofer bugtracker, it seems that there are several places where timezone has to be changed. I couldn't understand whether chameleon does that, hence my ticket. If chameleon hasn't that implemented probably it would be good adding such enhancement?
From: dillbyrne/random-agent-spoofer#66
"Currently only the time zone offset is spoofed.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toGMTString
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toLocaleDateString"
"Some date integer functions were originally included in the spoofing but they were dropped as they were causing page timeouts. Date locale strings will need to be set using the language headers for all the spoffed attributes to match. The selection of the time zone abbreviation is currently randomly selected when a timezone has been chosen. This could be improved to allow users to select the abbreviation in addition to the timezone."
"Time based fuctions such as getHours() need to be spoofed in such a way as to not break functionality like the previous version. Moving the date/time spoofing logic into the inject script will probably address the breakage as the functions will return updated but spoofed data each time they are called."
Does chameleon changes
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toGMTString
?
Tested on https://browserleaks.com/javascript:
Currently amiunique.org can detect WebGL Vendor and WebGL Renderer even when using chameleon. It can even detect whether you are running in virtualmachine or not. Could you add support for such protection? Thank you very much.
About WebGL Vendors:
-NVIDIA Corporation
-AMD (Not sure about the exact naming)
-VMware Inc. (for virtual machines)
About WebGL Renderers:
-EVGA GeForce GTX 1070
-EVGA GeForce GTX 1060
-EVGA GeForce GTX 1080
-EVGA GeForce GTX 1050
-EVGA GeForce GTX 960
-EVGA GeForce GTX 1050 Ti
Data from Amazon UK and US best sellers (for no. of revies) and https://store.steampowered.com/hwsurvey/videocard/
addon not working on Firefox 55.0.3
need fix
Headers and window properties aren't spoofed.
Hi,
first of all: huge thanks for this addon. The first that is technically able to replace RAS ;)
The only thing I missed was the ability to exclude some UAs. E.g. I only want to use desktop Firefox UAs for Windows & Linux (I had issues with some sites if they think I use Chrome).
Offtopic: RAS implemented profiles. All values (e.g. screen resolution, UA, x-forwarded-for) were changed periodically. So X-Forwarded-For followed was not changed for every image & request, but it followed the rule specified under "change periodically" and used the same entries until the period was over. Is Chameleon following this, too, or are all values changed for every single header request?
Offtopic2: X Origin Policy: this works great, but of course Chameleon can only implement it itself without changing the about:config setting. Maybe some tooltip should show that the about:config setting should be the default value, otherwise Chameleon has no chance and the setting in Chameleon takes no effect. Unfortunately, we don't get an WexExtension API ( https://bugzilla.mozilla.org/show_bug.cgi?id=1414078 ). However, it might get easier to get the "base domain" with this one: https://bugzilla.mozilla.org/show_bug.cgi?id=1315558
It's possible to bypass this addon:
https://browserleaks.com/javascript
Click in the iframe.contentWindow tab.
Check this issue for a possible fix.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.