qwq
July 20, 2023, 4:31pm
1
One of the main contributors to Bromite has now officially forked it and created Cromite.
Uazo has been maintaining a Bromite dev/test build for a while now over at GitHub - uazo/bromite-buildtools: my build machine for bromite development . In the latest release there’s an announcement that new releases will be in the new Cromite repository linked above.
Note: there aren’t any binaries released in the Cromite “releases” page yet.
We’ll probably want to wait and see how the project does for a while before considering it.
2 Likes
still no 32-bit support and updates can take up to two weeks
1 Like
Cromite seems to be promising but It blocks automatic https upgrades and Content Security Policy reports; which harm security
1 Like
jonah
July 26, 2023, 2:35am
5
I don’t see how blocking CSP reports harms security, and HTTPS-only mode is enabled by default. CSP reports can be used to fingerprint installed extensions:
opened 03:39PM - 09 Dec 20 UTC
Many websites nowadays use a security technology called [Content Security Policy… (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to limit what attackers can do in case of compromise on the site. When deployed with strict settings this prevents any use of `eval` or `<script>` tags to execute JavaScript code on-the-fly: All of the page's scripts (and also CSS, etc) must be served from a set of trusted origins specified in the policy instead. This rule also applies to any scripts injected by extensions using `window.eval` or `document.createElement("script")`.
The above would only render NanoDefender Pro ineffective on such sites, however CSP includes another feature that many sites use to monitor the issues caused by their CSP in the field called `report-uri`: Using this, a site can specify an arbitrary URL to be pinged whenever the browser detects a CSP violation. This again includes violations caused by extension scripts, like on the following example page (https://mm-csp-example.herokuapp.com/ was set up to test a related CSP issue with another extension):
```json
{
"csp-report": {
"blocked-uri": "inline",
"column-number": 33,
"document-uri": "https://mm-csp-example.herokuapp.com/",
"line-number": 214,
"original-policy": "default-src 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; report-uri https://mm-csp-example.herokuapp.com/report_csp",
"referrer": "",
"source-file": "moz-extension://22f938b7-43d7-410d-91c6-80262d30dbd7/content/core.js",
"violated-directive": "script-src"
}
}
```
This can even include “samples” of the blocked content like in the following real-world example of undisclosed origin:
```json
{
"csp-report": {
"blocked-uri": "inline",
"column-number": 33,
"document-uri": "…",
"line-number": 214,
"original-policy": "default-src 'none'; connect-src 'self' …; font-src 'self' … data:; img-src 'self' … data: …; script-src 'report-sample' 'self' 'unsafe-eval' …; object-src …; manifest-src …; media-src …; style-src 'self' 'unsafe-inline'; frame-src …; worker-src …; report-uri …/csp",
"referrer": "…",
"script-sample": "(() => {\n try {\n let _…",
"source-file": "moz-extension://22f938b7-43d7-410d-91c6-80262d30dbd7/content/core.js",
"violated-directive": "script-src"
}
}
```
If that isn't a textbook example of a perfect fingerprinting vector based on the list of installed non-CSP-compliant extensions then I don't know. Even without the “script sample”, the combination of “just” the script name and line and column numbers is likely enough to unique identify every CSP violating extension in existence. And as I've discovered today, yours is by far not the only extension causing these kinds of reports to be generated.
So how to fix this? Well, the [inject](https://github.com/LiCybora/NanoDefenderFirefox/blob/2006d69afdefbbb2dcd1b2dca31bb2a516efc4d1/src/content/core.js#L209-L224) function and everything calling it will have to be rewritten in terms of the recommendations of the MDN article on [Sharing objects with page scripts](https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/Sharing_objects_with_page_scripts). In particular this means: Accessing page objects only through the `.wrappedJSObject` accessor (“X-Ray Vision”) and exporting objects from the content-script to the page scope using `exportFunction`/`cloneInto` only. Unfortunately, this whole concept is completely foreign to Chromium-based browsers (where using `window.eval` and related techniques is indeed the right thing to do), so the whole code currently in place needs to be retained if you want to continue supporting non-Firefox browsers as well.
Further reading…
3 Likes
I found a fork of Bromite browser called Cromite which was mentioned in Libreware channel on Telegram
Cromite github page: GitHub - uazo/cromite: Cromite a Bromite fork with ad blocking and privacy enhancements; take back your browser!
lepras
September 11, 2023, 12:54pm
7
I have been using bromite from quite a while now. It seemed to be the only good enough ungoogled chromium option on android.
When Bromite became unmaintained, sadness clouded me.
Cromite made me happy, atleast its better in UX perspective. the readme seems pretty nice, the issue resolutions seems nice. All in all, its giving me nice vibes but ofcourse time will tell.
Why don’t you use Brave? If you disable crypto stuff and rewards, it there any advantages b/cromite provide over Brave?
@Tech-Trooper
6 Likes
anonymous84
September 11, 2023, 9:07pm
10
the guy who is working on cromite was a major contributor to the original bromite
4 Likes
lepras
September 12, 2023, 10:20am
11
We need cromite vs brave mobile showdown fr fr
1 Like
obzen
September 12, 2023, 3:34pm
12
To get an answer to your question, you should explain why did you trust the main developer of Bromite.
jonah
October 17, 2023, 8:10pm
13
Quickly looking through the releases since July I’m not seeing examples of this being the case… I found a couple releases which were ~4 days delayed around a month ago, but otherwise I’m largely seeing updates in about a day. It looks like they (semi?) automated updates with GitHub Actions, which is cool.
Also your excellent https://divestos.org/misc/ch-dates.txt page shows Cromite at 117 despite them releasing 118 5 days ago. Not to like tell you what to do or anything, but if you added a Cromite column to the more detailed history section I’m sure I and others would appreciate it, since Bromite is dead and Cromite’s gained ~1000 GitHub stars in the last 2 months
2 Likes
Sharply
October 17, 2023, 8:05pm
15
Hmmm, wasn’t aware of that. Does Brave enable CFI on their Android builds in comparison?
The issue with this and also comparing dates, is that they do not ship the actual stable channel versions.106.0.5249.163 is missing the recent zero-day fix · bromite/bromite · Discussion #2421 · GitHub
1 Like
yes
October 17, 2023, 8:29pm
17
to my understanding, CFI is… a good thing?
may you elaborate?
@yes
CFI largely eliminates an entire class of security vulnerabilities.
@Sharply
1 Like
Sharply
October 17, 2023, 8:36pm
19
I think its still worth considering then, since Brave is the current recommendation, so it wouldn’t be a decrease from that. Though it would be nice if they did enable CFI, it appears they don’t due to it causing issues and crashing, see here .
@Sharply
Vanadium has fixed these issues twice now.
