Blocked or restricted APIs:
- window.Date, window.performance.now (), window.PerformanceEntry, Event.prototype.timeStamp, Gamepad.prototype.timestamp and VRFrameData.prototype.timestamp – the exact time displayed can be used to identify and carry out attacks side-channel .
- HTMLCanvasElement (canvas.toDataURL (), canvas.toBlob (), CanvasRenderingContext2D.getImageData, OffscreenCanvas.convertToBlob ()) – used to determine the features of the graphics subsystem when identifying a user.
- AudioBuffer и AnalyserNode (AudioBuffer.getChannelData(), AudioBuffer.copyFromChannel(), AnalyserNode.getByteTimeDomainData(), AnalyserNode.getFloatTimeDomainData(), AnalyserNode.getByteFrequencyData() и AnalyserNode.getFloatFrequencyData()) – идентификация через анализ звуковых сигналов.
- WebGLRenderingContext – identification through analysis of the features of the graphics stack and GPU.
- MediaDevices.prototype.enumerateDevices – identification by receiving parameters and names of the camera and microphone.
- navigator.deviceMemory, navigator.hardwareConcurrency – getting hardware information.
- XMLHttpRequest (XHR) – Transfers the collected system information to an external server after the page has loaded.
- ArrayBuffer – carrying out microarchitectural attacks like Specter.
- WebWorker (window.Worker), SharedArrayBuffer (window.SharedArrayBuffer) – attacks that estimate data access delays.
- Geolocation API (navigator.geolocation) – access to location information (the add-on allows you to distort the returned data).
- Gamepad API (navigator.getGamepads ()) – one of the identification signs, taking into account the presence of a gamepad in the system.
- Virtual Reality API, Mixed Reality API – using parameters of virtual reality devices for identification.
- window.name – – cross site leaks .
- navigator.sendBeacon – Used for web analytics.