{"id":13646925,"url":"https://github.com/ghostwords/chameleon","last_synced_at":"2025-12-17T03:38:25.496Z","repository":{"id":16745470,"uuid":"19502992","full_name":"ghostwords/chameleon","owner":"ghostwords","description":"Browser fingerprinting protection for everybody.","archived":true,"fork":false,"pushed_at":"2015-10-14T18:31:43.000Z","size":4895,"stargazers_count":534,"open_issues_count":16,"forks_count":60,"subscribers_count":56,"default_branch":"master","last_synced_at":"2024-11-09T20:37:53.410Z","etag":null,"topics":["browser-fingerprinting","chrome-extension","privacy"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ghostwords.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-05-06T17:03:51.000Z","updated_at":"2024-10-29T01:00:07.000Z","dependencies_parsed_at":"2022-07-26T09:02:02.039Z","dependency_job_id":null,"html_url":"https://github.com/ghostwords/chameleon","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghostwords%2Fchameleon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghostwords%2Fchameleon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghostwords%2Fchameleon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ghostwords%2Fchameleon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ghostwords","download_url":"https://codeload.github.com/ghostwords/chameleon/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250136792,"owners_count":21380891,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["browser-fingerprinting","chrome-extension","privacy"],"created_at":"2024-08-02T01:03:15.596Z","updated_at":"2025-12-17T03:38:20.457Z","avatar_url":"https://github.com/ghostwords.png","language":"JavaScript","funding_links":[],"categories":["JavaScript","Fingerprinting Evasion"],"sub_categories":["Index"],"readme":"# Chameleon\n\n[Browser fingerprinting](http://akademie.dw.de/digitalsafety/your-browsers-fingerprints-and-how-to-reduce-them/) protection for everybody.\n\nChameleon is a Chrome privacy extension that :star2: detects fingerprinting-like activity, and :sparkles: protects against fingerprinting, currently by making Chrome look like Tor Browser.\n\n## :warning: WARNING :warning:\n\nChameleon is pre-alpha, developer-only software.\n\nPlease note that while Chameleon detects the use of [canvas fingerprinting](http://www.propublica.org/article/meet-the-online-tracking-device-that-is-virtually-impossible-to-block), Chameleon does not yet protect against it. See the [coverage table](#coverage) below for more on Chameleon's current status.\n\nThe next step for Chameleon is to block scripts from loading based on their use of fingerprinting techniques, of which canvas fingerprinting is one. This work is in progress now (enabled by tying code execution to originating scripts in [25d7a5](https://github.com/ghostwords/chameleon/commit/25d7a5971347902bac594d669de388416b1f21ca)).\n\n### Detection\n\nChameleon detects [font enumeration](http://www.lalit.org/lab/javascript-css-font-detect/) and intercepts accesses of fingerprinting-associated JavaScript objects like [Window.navigator](https://developer.mozilla.org/en-US/docs/Web/API/Navigator).\n\nThe number over Chameleon's button counts the number of suspected fingerprinters on the current page.\n\n### Protection\n\nSince [Tor users are supposed to all look alike](https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability), Chameleon attempts to blend in by altering request headers and JavaScript properties to match Tor Browser's values.\n\nTo start with, Chameleon covers [Panopticlick](https://panopticlick.eff.org/)'s fingerprinting set, with more complete coverage in the works.\n\nChrome without Chameleon:\n\n![\"before\" screenshot](images/before.png)\n\nChrome with Chameleon:\n\n![\"after\" screenshot](images/after.png)\n\nTor Browser:\n\n![Tor Browser screenshot](images/tor.png)\n\n\n## Installation\n\nTo manually load Chameleon in Chrome, check out (or [download](https://github.com/ghostwords/chameleon/archive/master.zip) and unzip) this repository, go to `chrome://extensions/` in Chrome, make sure the \"Developer mode\" checkbox is checked, click on \"Load unpacked extension...\" and select the [chrome](chrome/) folder inside your Chameleon folder.\n\nTo update manually loaded Chameleon, update your checkout, visit `chrome://extensions` and click on the \"Reload\" link right under Chameleon's entry.\n\nYou could also generate an installable CRX package. See below for details. To install from a CRX package, drag and drop the package file onto the `chrome://extensions` page.\n\n\n## Development setup\n\n1. `npm install` to install dev dependencies.\n2. `npm run lint` to check JS code for common errors/formatting issues.\n3. `npm run watch` to monitor extension sources for changes and regenerate extension JS bundles as needed. Leave this process running in a terminal as you work on the extension. Note that you still have to reload Chameleon in Chrome from the `chrome://extensions` page whenever you update Chameleon's injected script or background page.\n4. `npm run dist` to generate an installable CRX package. This requires having the signing key in `~/.ssh/chameleon.pem`. To get a key, visit `chrome://extensions/` in Chrome and click on the \"Pack extension...\" button to generate a CRX manually.\n\nCSS sprites were generated with [ZeroSprites](http://zerosprites.com/).\n\n\n## Coverage\n\nFingerprinting technique | Detection | Protection | Notes\n------------------------ |:---------:|:----------:| -----\nRequest header values | ✗ | ✔ | detection not possible in a browser extension?\nwindow.navigator values | ✔ | ✔ | partial protection (not all Firefox-specific Navigator properties added, Chrome-specific properties not yet removed)\nwindow.navigator enumeration | ✔ | ✗ | detection only: [object enumeration order differs between browsers](http://stackoverflow.com/questions/280713/elements-order-in-a-for-in-loop)\nwindow.screen values | ✔ | ✔\nDate/time queries | ✔ | ✔ | partial protection (need to adjust the entire timezone, not just getTimezoneOffset)\nFont enumeration | ✔ | ✗ | unable to override fontFamily getters/setters on the CSSStyleDeclaration prototype in Chrome; needs more investigation\n[System color](https://developer.mozilla.org/en-US/docs/Web/CSS/color_value#System_Colors) enumeration | ✗ | ✗ | detection planned, protection seems to run into the same issue as font enumeration\nCSS media queries | ✗ | ✗ | needs investigation\nCanvas image data extraction | ✔ | ✗ | protection impeded by image rendering differences between Chrome and Firefox, but this is only a problem if we are trying to match Tor Browser.\nWebGL | ? | ✗ | detection needs more work, protection needs investigation\nRequest header ordering/checksum, window.navigator checksum, checksumming in general | ✗ | ✗ | needs investigation\nFlash/Java-driven queries | ✗ | ✗ | plugins need to be switched to click-to-play by default\nThird-party cookies | ✗ | ✗ | need to disable by default\nJS/rendering engine differences | ✗ | ✗ | Tor Browser masquerading showstopper ...\nPacket inspection/clock skew (?) | ✗ | ✗ | not possible in a browser extension\n\n\n## Roadmap\n\n- Minimize false positives.\n\n- Block fingerprinter resource loading.\n\n- Replace Tor masquerading with randomization: [#1](https://github.com/ghostwords/chameleon/issues/1)\n\n- Create Chameleon for Firefox.\n\n- Fix getOriginatingScriptUrl for eval'd code:\n\t- The [V8 stack trace API](http://code.google.com/p/v8/wiki/JavaScriptStackTraceApi) fails to deliver file URLs brought in via eval'd code. For example, see all the misattributed (to jQuery) accesses on http://fingerprint.pet-portal.eu/ during a fingerprint test.\n\t- The problem is probably not just with `eval`, but with any dynamic code evaluation, meaning `setTimeout('...')` and `new Function('...')`.\n\t- [Overriding eval doesn't work](http://stackoverflow.com/a/2567001).\n\t- Can (probably) get CSP violation reports for just eval with something like `script-src * 'unsafe-inline'; style-src * 'unsafe-inline'; report-uri chrome-extension://...`, but they do not appear to provide file names for eval'd script files either.\n\t- We can get the function that triggered our property getters via `arguments.callee.caller.caller`, but we still need the URL it came from.\n\t- Is there anything around the function we have at this point that we can use to figure out where the function came from, besides trying to match the function to page script sources?\n\t- We can try matching the function to page script sources. The function we have doesn't have to look anything like the originating scripts ... because `eval`. Can try unpacking packed scripts. What if multiple eval's? What if data/javascript URIs? Not clear how far this will get us.\n\n- Simplify the UI (fingerprinting detected vs. not; expand to see more info).\n\n- Add help/about link; explain what the UI shows.\n\n\n## Code license\n\nMozilla Public License Version 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostwords%2Fchameleon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fghostwords%2Fchameleon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostwords%2Fchameleon/lists"}