Block webdriver html attribute from getting set

Question

Block webdriver html attribute from getting set

dreisman opened this issue 8 years ago · 5 comments

Selenium adds an HTML attribute "webdriver = true" to the tag. This should be removed before any scripts on the page are executed.

(also, measuring how many sites/scripts check for this attribute would be informative)

Answer 1 · 2016-09-24T10:44:49.000Z

In addition, it adds a "webdriver=true" attribute to the navigator object:

Here's a test case checking both attributes (see the console logs):
https://rawgit.com/gunesacar/55a2d793156caf8c8345965489ea6530/raw/75a8ce8de8c9f2a9f8d8ad00dd5b17df3f5f6432/selenium_fingerprinting.html

I get true for both tests with 2.53.6. Interestingly, Selenium 3 doesn't add these flags at the moment.

Responsible lines:

Answer 2 · 2016-11-16T22:04:42.000Z

Please check #105. It should remove the webdriver attribute set by Selenium.

Answer 3 · 2016-11-17T16:04:16.000Z

Thanks Gunes! A few comments:

(1) We should really have an automated test for this. If it does break in the future for some reason it's unlikely to be noticed by an user of the platform

(2) In order to activate, the user must set browser_params['extension']['enabled'] = True and browser_params['extension']['jsInstrument'] = True. We shouldn't tie the protection to the use of instrumentation.

Since we're planning to move to extension-only instrumentation as soon as possible, I think it makes sense to have the extension on by default. Once that's set, we should make a separate content script which does nothing other than inject the webdriver protection code. I'll make an issue to track this change as well.

Answer 4 · 2016-11-23T01:07:51.000Z

@gunesacar take a look at 54765c1. It seems we don't always load before selenium so we need a bit of extra handling. I think we can use Object.prototype.watch() and Object.prototype.unwatch() for the navigator.webdriver example.

Answer 5 · 2016-11-23T18:21:48.000Z

See: #108 for the fix.