Description of the issue:
I have a site at mutaframe.com, it uses hash of the fingerprint to make sure that the magic links for login are open from the same browser that requested them (the project is about healthcare/genetics so it is bit more constrained).
I load the script (fingerprint2.js) async from my own domain, however it is blocked unless I turn off “block 3rd party tracking”. As far as I know, in the latest addition to brave, the intention was not to block 1st party fingerprinting. Did I misunderstand that by thinking 1st party means payloads requested from host domain? Or does brave make some predefined checks against the requested files checksum to block it directly?
Steps to Reproduce (add as many as necessary):
- Go to mutaframe.com ,you’ll be redirected to deogen2.mutaframe.com
- Open the network tab and monitor the requests.
- It’ll ask you for a survey code, provide this: 69bfffe5713771d5b0e720b13271bf69
- At this point fingerprint2.js will be blocked.
- Repeat the above steps without 3rd party tracker blocking is off, and this time the script will load fine and the icons on the left will start appearing -> the site works.
Since I’m a new user, I unfortunately could not upload it here, but you can view it from here:
It first shows the broken state till half of the video, then the normal one.
As far as I understand brave should not block a fingerprinting script if loaded from the host domain.
Reproduces how often:
As of latest version
Version 0.67.124 Chromium: 76.0.3809.100 (Official Build) (64-bit)
Reproducible on current live release (yes/no):