Extension fingerprinting

Is the Brave browser able to defend itself against extension fingerprinting?
Thank you

It is a new site just launched…

My answer will be No (currently)

"The good news is that upcoming Manifest V3 will have two new features to mitigate this issue.

  1. extensions will have to specify which hosts can access their web_accessible_resources (but they can still choose all hosts if it’s needed for the extension)
  2. extensions will be able to enable “use_dynamic_url” option, which will change the resource URL for each session (so browser restart). Safari is already doing this mandatory for all their extensions."

(Credit to user who wrote it, I have not written it)

The site is just launched, but the problem is old. Thank you for your reply.


Considering you know about this website, and might want to dive deep into this stuff https://support.torproject.org/tbb/tbb-14/ https://www.cse.chalmers.se/~andrei/codaspy17.pdf

In short, it is not recommended to install useless extensions on your browser like Honey, from google, adobe etc. If needed just disable them and only allow them on few sites via site access feature (on click or on specific sites by adding URL)
Currently, due to brave shields, a lot of ad-blocking extensions like UBO, Noscript, umatrix, ad-block plus, adgaurd which are highly fingerprintable compared to others are no longer needed on brave browser.

TOR devs themselves have said that do not install any extensions on your TOR browser, not even UBO and dark reader. The proper way to browse onion site or clearnet will be to block javascript altogether. Or to block javascript but allow it only on few trusted sites to help your privacy and security.


There is already an open issue on github.

1 Like

Brave exposes users on the client-side by allowing access to a navigator.brave attribute, thereby bypassing user-agent spoofing and other browser spoofing techniques. As long as that navigator property is accessible, the website can safely assume that the user is indeed on Brave and not on their spoofed browser.