How to make brave undetectable, reduce fingerprintability, and improve privacy.

as of right now, even with the help of brave-fix.js, many sites can still detect brave. this is both used for fingerprinting and blocking brave users. i have an idea to fix that: fully spoof brave as firefox, both the http headers and client hints (including client hint javascript attributes). since firefox does not support any client hints whatsoever, neither should we. they dont accomplish anything other than privacy invasion anyway. we should also block some invasive http headers while we are at it.

the following request headers should be changed/added to resemble firefox:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
TE: trailers

the following request headers should be blocked/removed to resemble firefox:

Sec-CH-UA-Mobile - client hint header for tracking.
Sec-CH-UA-Arch - client hint header for tracking.
Sec-CH-UA-Form-Factors - client hint header for tracking.
Sec-CH-UA-Full-Version - client hint header for tracking.
Sec-CH-UA-Full-Version-List - client hint header for tracking.
Sec-CH-UA-Model - client hint header for tracking.
Sec-CH-UA-Platform-Version - client hint header for tracking.
Sec-CH-UA-Platform - client hint header for tracking.
Sec-CH-UA-Bitness - client hint header for tracking.
Sec-CH-Prefers-Color-Scheme - client hint header for tracking.
Sec-CH-Prefers-Reduced-Motion - client hint header for tracking.
Sec-CH-Prefers-Reduced-Transparency - client hint header for tracking.
Sec-CH-UA - client hint header for tracking.
ECT - client hint header for tracking.
DPR - client hint header for tracking.
RTT - client hint header for tracking.
Device-Memory - client hint header for tracking.

the following response headers should be blocked/removed to resemble firefox:
Accept-CH - client hint header for tracking.
Critical-CH - client hint header for tracking.

from my research and experimentation with the requestly extension, the following http response headers can and should be blocked without causing any site breakage:

Observe-Browsing-Topics - tracking header.
Etag - can be used to identify a user like fingerprinting. check this site for a demonstration: https://lucb1e.com/randomprojects/cookielesscookies

@john897,
Thank you for reaching out to us.
I went ahead and showed this thread to our principal privacy researcher @pes. His response:

I appreciate your comment, however, in practice, most of these changes would not be privacy improving, and some would break sites, downloads folks try to initiate, trigger security warnings, etc. The challenge in all these aspects is to improve privacy, while at the same time no breaking websites for users.

A couple of notes though.

Brave prevents some of these features from harming user privacy by modifying them, not disabling them. Etag’s for example, in Brave, are partitioned by first party (the same way Brave partitions all third party storage). This allows sites to use etag’s for caching purposes, without allowing sites to abuse them for cross site tracking.

Similarly some of these features Brave already disables (Topics API, many of the Sec-CH-UA headers you listed).

Finally, even if Brave disabled all these features, it would not have the effect of making Brave look like Firefox. There is just too much diversity and difference between how Blink and Gecko work for the two to appear identical to the site. What we’d end up with is a very very odd thing that didn’t look like Firefox, and also didn’t look like Chromium, but with a bunch of additional compatibility risks on top.

Hope this helps. You can find more about Brave’s privacy protections at brave.com/privacy-updates, or see how Brave compares to other browsers here https://privacytests.org/