[Dev] Fwd: Re: Article: Chromium's subtle freedom flaws

jc_gargma jc_gargma at iserlohn-fortress.net
Thu May 11 03:05:26 GMT 2017

> Respective identified code can be found below:
> https://lintian.debian.org/maintainer/pkg-chromium-maint@lists.alioth.debian
> .org.html#chromium-browser
> https://github.com/Eloston/ungoogled-chromium/tree/master/resources/patches
> https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs
I ran through the three rosters of issues mentioned against the 
qtwebengine-opensource-src-5.8.0.tar.xz package.
Since posting many thousands of characters feels abit long, I've attached a 
text file of my findings to this mail.

In brief:
1) Eighteen of the Thirty-Three js files exist in QtWebEngine. The non-free 
licensed UTF parser is not in QtWebEngine.
2) Sixteen of Twenty-Nine ungoogled patches are either already applied or 
files being patched do not exist. Some patch target files vary considerably as 
to make determination of some of the remaining patches unclear.
3) The issues listed by Tor are either bugs, bad implementations, or also 
occur in FireFox/IceCat/IceWeasel. None are freedom related. The article is 
also two years old and not an up-to-date view on recent browser versions.

-------------- next part --------------


license-problem result 0/2
breakpad/src/common/convert_UTF.c -> File Not Found
third_party/swiftshader/third_party/llvm-subzero/lib/Support/ConvertUTF.cpp -> File Not Found

source-is-missing result 18/33
third_party/WebKit/Source/devtools/front_end/audits2_worker/lighthouse/lighthouse-background.js -> File Not Found
third_party/WebKit/Source/devtools/front_end/cm_modes/php.js -> VALID!
third_party/WebKit/Source/devtools/front_end/cm_modes/stylus.js -> VALID!
third_party/WebKit/Source/devtools/front_end/diff/diff_match_patch.js -> VALID!
third_party/WebKit/Source/devtools/front_end/formatter_worker/acorn/acorn.js -> File Not Found
third_party/WebKit/Source/devtools/front_end/gonzales/gonzales-scss.js -> VALID!
third_party/WebKit/Source/devtools/front_end/network/NetworkConfigView.js -> VALID!
third_party/WebKit/Source/devtools/front_end/settings/SettingsScreen.js -> VALID!
third_party/accessibility-audit/axs_testing.js -> File Not Found
third_party/analytics/google-analytics-bundle.js -> VALID!
third_party/blanketjs/src/blanket.js -> VALID!
third_party/catapult/experimental/heatmap/power.js -> File Not Found
third_party/catapult/experimental/heatmap/smoothness.js -> File Not Found
third_party/catapult/experimental/trace_on_tap/third_party/pako/pako_deflate.min.js -> File Not Found
third_party/catapult/third_party/Paste/paste/evalexception/media/MochiKit.packed.js -> File Not Found
third_party/catapult/third_party/polymer/components/web-animations-js/web-animations-next-lite.min.js -> File Not Found
third_party/catapult/third_party/polymer/components/web-animations-js/web-animations-next.min.js ->  File Not Found
third_party/catapult/third_party/polymer/components/web-animations-js/web-animations.min.js ->  File Not Found
third_party/catapult/third_party/vinn/third_party/parse5/lib/tokenization/named_entity_trie.js -> File Not Found
third_party/catapult/third_party/vinn/third_party/parse5/parse5.js -> File Not Found
third_party/catapult/tracing/third_party/chai/chai.js -> VALID!
third_party/catapult/tracing/third_party/d3/d3.min.js -> VALID!
third_party/catapult/tracing/third_party/gl-matrix/spec/gl-matrix/mat3-spec.js -> VALID!
third_party/catapult/tracing/third_party/jszip/jszip.min.js -> VALID!
third_party/deqp/src/framework/delibs/coding_guidelines/prettify.js -> File Not Found
third_party/dom_distiller_js/dist/js/domdistiller.js -> VALID!
third_party/dom_distiller_js/dist/js/domdistiller_wrapped.js -> VALID!
third_party/libphonenumber/dist/javascript/i18n/phonenumbers/metadata.js -> File Not Found
third_party/libphonenumber/dist/javascript/i18n/phonenumbers/metadatalite.js -> File Not Found
third_party/web-animations-js/sources/web-animations-next-lite.min.js -> VALID!
third_party/web-animations-js/sources/web-animations-next.min.js -> VALID!
third_party/web-animations-js/sources/web-animations.min.js -> VALID!
ui/accessibility/extensions/highcontrast/highcontrast.js -> VALID!

web/optional -> File Not Found

usr/bin/chromedriver -> File Not Found

usr/bin/chromium-shell -> File Not Found

usr/bin/chromium-shell: freetype -> File Not Found



Patches Not Applied or Requiring Futher Analysis: 13/29

remove-new-flags.patch -> build/config/compiler/BUILD.gn -> Invalid (Relates to removing modern compiler flags)

add-flag-to-disable-trkbar.patch -> chrome/app/chrome_main.cc             -> File Not Found
                                 -> chrome/app/generated_resources.grd    -> Invalid (Adds error messages only)
                                 -> chrome/browser/about_flags.cc         -> File Not Found
                                 -> chrome/browser/chrome_browser_main.cc -> File Not Found

add-ipv6-probing-option.patch -> net/dns/host_resolver_impl.cc -> VALID! (DNS addresses for Google exist)

change-trace-infobar-message.patch -> iridium/trkbar.cpp -> Invalid/File Not Found (Relates to Iridium)

clear-http-auth-cache-menu-item.patch -> chrome/app/chrome_command_ids.h    -> File Not Found
                                      -> chrome/app/generated_resources.grd -> Invalid (Adds error messages only)
                                      -> chrome/browser/ui/toolbar/app_menu_model.cc -> File Not Found
                                      -> chrome/browser/ui/toolbar/app_menu_model.h  -> File Not Found
                                      -> chrome/browser/ui/views/frame/global_menu_bar_x11.cc -> File Not Found
                                      -> chrome/browser/ui/browser_command_controller.cc      -> File Not Found
                                      -> tools/metrics/histograms/histograms.xml -> File Not Found
                                      -> net/http/http_auth_cache.cc -> Invalid (File already contains what patch adds)
                                      -> net/http/http_auth_cache.h  -> Invalid (File already contains what patch adds)

disable-crash-reporter.patch -> breakpad/src/client/linux/sender/google_crash_report_sender.cc -> File Not Found
                             -> chrome/browser/tracing/crash_service_uploader.cc -> File Not Found

disable-domain-reliability.patch -> components/domain_reliability/google_configs.cc -> VALID! (Functions not removed/disabled)
                                 -> components/domain_reliability/uploader.cc -> VALID! (Function not disabled)
                                 -> components/domain_reliability/bake_in_configs.py -> VALID! (Functions not disabled)
                                 -> components/domain_reliability/BUILD.gn -> MORE ANALYSIS NEEDED! (File varies considerably from patch)

disable-download-quarantine.patch -> content/browser/renderer_host/pepper/pepper_file_io_host.cc -> Invalid (File already contains what patch adds)
                                  -> content/browser/renderer_host/pepper/pepper_file_io_host.h  -> Invalid (File already contains what patch adds)
                                  -> content/common/BUILD.gn               -> Invalid (File already contains what patch adds)
                                  -> content/public/common/BUILD.gn        -> Invalid (File already contains what patch adds)
                                  -> content/browser/download/base_file.cc -> Invalid (File already contains what patch adds)

disable-fonts-googleapis-references.patch -> components/dom_distiller/content/browser/dom_distiller_viewer_source.cc -> VALID! (webfonts references exists)
                                          -> components/dom_distiller/core/html/dom_distiller_viewer.html -> VALID! (webfonts references exists)
                                          -> components/dom_distiller/core/html/preview.html -> VALID! (webfonts references exists)
                                          -> third_party/catapult/third_party/polymer/components/font-roboto/roboto.html -> File Not Found
                                          -> third_party/catapult/tracing/third_party/gl-matrix/jsdoc-template/static/default.css -> VALID! (webfonts references exists)
                                          -> third_party/crashpad/crashpad/doc/support/crashpad_doxygen.css -> File Not Found
                                          -> third_party/flatbuffers/src/docs/header.html -> VALID! (webfonts references exists)

disable-formatting-in-omnibox.patch -> components/url_formatter/url_formatter.cc -> VALID! (omnibox allows formatting)

disable-gaia.patch -> google_apis/gaia/gaia_auth_fetcher.cc -> VALID! (Function not removed)
                   -> chrome/browser/resources/component_extension_resources.grd -> VALID! (Functions not removed)
                   -> chrome/browser/extensions/signin/gaia_auth_extension_loader.cc -> File Not Found
                   -> chrome/browser/extensions/component_extensions_whitelist/whitelist.cc -> File Not Found
                   -> chrome/browser/ui/webui/signin/inline_login_ui.cc -> File Not Found
                   -> chrome/browser/browser_resources.grd -> VALID! (Functions not removed)

disable-gcm.patch -> components/gcm_driver/gcm_client_impl.cc -> File Not Found

disable-google-host-detection.patch -> net/base/url_util.cc -> VALID! (References to google domains exist)
                                    -> chrome/browser/prerender/prerender_util.cc -> File Not Found
                                    -> components/variations/net/variations_http_headers.cc -> VALID! (Functions not removed / References to google domains exist)
                                    -> chrome/browser/page_load_metrics/observers/from_gws_page_load_metrics_observer.cc -> File Not Found
                                    -> components/search_engines/template_url.cc -> VALID! (Functions not removed)
                                    -> components/google/core/browser/google_util.cc -> VALID! (Functions not removed)

disable-intranet-redirect-detector.patch -> chrome/browser/intranet_redirect_detector.cc -> File Not Found

disable-logging-urls-to-stderr.patch -> iridium/trknotify.cpp -> Invalid/File Not Found (Relates to Iridium)
                                     -> iridium/trknotify.h -> Invalid/File Not Found (Relates to Iridium)
                                     -> chrome/app/chrome_main.cc -> File Not Found

disable-profile-avatar-downloading.patch -> chrome/browser/profiles/profile_avatar_downloader.cc -> File Not Found

disable-rlz.patch  -> rlz/features/features.gni -> File Not Found

disable-signin.patch -> components/signin/core/browser/signin_manager_base.cc -> VALID! (Function not removed)
                     -> chrome/browser/ui/chrome_pages.cc -> File Not Found

disable-translate.patch -> components/translate/core/browser/translate_manager.cc -> File Not Found
                        -> components/translate/content/renderer/translate_helper.cc -> File Not Found
                        -> components/translate/core/browser/translate_script.cc -> File Not Found

disable-untraceable-urls.patch -> chrome/browser/plugins/plugins_resource_service.cc -> File Not Found
                               -> chrome/browser/safe_browsing/client_side_model_loader.cc -> File Not Found
                               -> chrome/browser/safe_browsing/client_side_model_loader.h -> File Not Found
                               -> rlz/lib/lib_values.cc -> File Not Found
                               -> rlz/lib/lib_values.h -> File Not Found
                               -> rlz/lib/financial_ping.cc -> File Not Found

enable-page-saving-on-more-pages.patch -> content/public/common/url_utils.cc -> Invalid (File already contains what patch adds)
                                       -> chrome/browser/ui/browser_commands.cc -> File Not Found
                                       -> components/offline_pages/core/offline_page_model.cc -> File Not Found
                                       -> content/common/url_schemes.cc -> MORE ANALYSIS NEEDED! (File varies considerably from patch)

fix-building-without-one-click-signin.patch -> chrome/browser/ui/sync/one_click_signin_sync_starter.cc -> File Not Found
                                            -> chrome/browser/ui/sync/one_click_signin_links_delegate_impl.cc -> File Not Found
                                            -> chrome/browser/ui/BUILD.gn -> Invalid (File already contains what patch adds)

gn-modify-hardcoded-settings.patch -> build/config/features.gni -> VALID! (Functions not commented in)

intercept-all-modified-domains.patch -> chrome/app/chrome_main.cc -> File Not Found
                                     -> content/browser/browser_url_handler_impl.cc -> MORE ANALYSIS NEEDED! (File varies considerably from patch)
                                     -> url/gurl.cc -> MORE ANALYSIS NEEDED! (File varies considerably from patch)

popups-to-tabs.patch -> content/renderer/render_view_impl.cc -> MORE ANALYSIS NEEDED! (File varies considerably from patch)
                     -> chrome/browser/ui/views/frame/browser_view.cc -> File Not Found

prevent-trace-url-requests.patch -> url/gurl.cc -> MORE ANALYSIS NEEDED! (File varies considerably from patch)
                                 -> chrome/browser/ui/browser_navigator.cc -> File Not Found
                                 -> components/url_formatter/url_fixer.cc -> VALID! (Functions not added)

remove-disable-setuid-sandbox-as-bad-flag.patch -> chrome/browser/ui/startup/bad_flags_prompt.cc -> File Not Found

remove-get-help-button.patch -> chrome/browser/resources/help/help_content.html -> VALID! (Function not removed)
                             -> chrome/browser/resources/help/help_page.js -> VALID! (Function not removed)

replace-google-search-engine-with-nosearch.patch -> components/search_engines/prepopulated_engines.json -> VALID! (google search engines not removed)



​All certificate validation fetches (AIA, OCSP, CRL) should use Chrome's proxy settings - Invalid (bad implementations are not freedom issues)
dns prefetching leaks dns queries when using a proxy - Invalid (Firefox forks have the same problem)
Flash and other plugins should be forced through the browser's proxy - Invalid (bad implementations are not freedom issues)
​FTP not working behind (HTTP) Proxy - Invalid (bad implementations are not freedom issues)
WebRTC PeerConnection can use UDP and non-proxied TCP Sockets - Invalid (Firefox forks have the same problem)
SPDY v3 can use UDP as a transport (via QUIC) - Invalid (Firefox forks have the same problem)

Can we block drag and drop events? - Invalid (bad implementations are not freedom issues)
Do WebSockets behave correctly? - Invalid (Firefox forks have the same problem)
Do the NTLM and SPNEGO HTTP authentication methods bypass the proxy? - Invalid (bad implementations are not freedom issues)

Maintain separate TLS session caches per-profile - Invalid (Post states this is fixed)
SPDY state and connection reuse, HTTP keepalive connection reuse, and HSTS state? - Invalid (bad implementations are not freedom issues)
The CryptoAPI dependency on Windows probably means most or all TLS state is shared - Invalid (bad implementations are not freedom issues)

"Incognito-enabled" manifest.json extension permission - Invalid (bad implementations are not freedom issues)
The Third Party Cookie pref should also "double-key" or disable DOM storage, cache, HTTP Auth and HSTS for third parties - Invalid (bad implementations are not freedom issues)
window.name should not persist across domains - Invalid (Firefox forks have the same problem)
SSL Session ids and TLS session tickets should be disabled for third parties - Invalid (bad implementations are not freedom issues)
SPDY can store session IDs and other state, and has insane keep-alive properties - Invalid (Firefox forks have the same problem)

HTML5 Canvas should be permission-based for reading image data - Invalid (Firefox forks have the same problem)
The GamePad API allows ​USB device IDs for any controller-like devices to be enumerated by JS - Invalid (bad implementations are not freedom issues)
CSS Media Queries allow screen info and even user-selected system theme colors and other user-configured UI information to be extracted by CSS (even without JS) - Invalid (bad implementations are not freedom issues)
WebGL should not expose OpenGL/DirectX extension and device capabilities - Invalid (Firefox forks have the same problem)
NTLM and SPNEGO Auth should not send machine hostname or username in Incognito Mode - Invalid (bad implementations are not freedom issues)
The desktop and taskbar resolution should not be available to CSS or JS -- provide content window size only - Invalid (Firefox forks have the same problem)
Addons should be able to install a font pack for exclusive use in Incognito Mode - Invalid (bad implementations are not freedom issues)
Disable high-resolution DOM and network performance timers in Incognito Mode - Invalid (Firefox forks have the same problem)
Reduce Javascript Date and event timestamp precision in Incognito mode - Invalid (Firefox forks have the same problem)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170510/149fd256/attachment.sig>

More information about the Dev mailing list