Block webdriver html attribute from getting set
dreisman opened this issue · 5 comments
Selenium adds an HTML attribute "webdriver = true" to the tag. This should be removed before any scripts on the page are executed.
(also, measuring how many sites/scripts check for this attribute would be informative)
In addition, it adds a "webdriver=true" attribute to the navigator object:
Here's a test case checking both attributes (see the console logs):
https://rawgit.com/gunesacar/55a2d793156caf8c8345965489ea6530/raw/75a8ce8de8c9f2a9f8d8ad00dd5b17df3f5f6432/selenium_fingerprinting.html
I get true for both tests with 2.53.6. Interestingly, Selenium 3 doesn't add these flags at the moment.
Responsible lines:
- https://github.com/SeleniumHQ/selenium/blob/b82512999938d41f6765ce8017284dcabe437d4c/javascript/firefox-driver/extension/content/server.js#L49
- https://github.com/SeleniumHQ/selenium/blob/b82512999938d41f6765ce8017284dcabe437d4c/javascript/firefox-driver/extension/content/dommessenger.js#L98
- W3C recommendation: https://w3c.github.io/webdriver/webdriver-spec.html#interface
Thanks Gunes! A few comments:
(1) We should really have an automated test for this. If it does break in the future for some reason it's unlikely to be noticed by an user of the platform
(2) In order to activate, the user must set browser_params['extension']['enabled'] = True
and browser_params['extension']['jsInstrument'] = True
. We shouldn't tie the protection to the use of instrumentation.
Since we're planning to move to extension-only instrumentation as soon as possible, I think it makes sense to have the extension on by default. Once that's set, we should make a separate content script which does nothing other than inject the webdriver protection code. I'll make an issue to track this change as well.
@gunesacar take a look at 54765c1. It seems we don't always load before selenium so we need a bit of extra handling. I think we can use Object.prototype.watch()
and Object.prototype.unwatch()
for the navigator.webdriver
example.
See: #108 for the fix.