Hi Ben, interesting stuff indeed, thanks for sharing. Some of these features should be merged into the main surf repo, I think:
- [PATCH 04/13] Disable useless webkit features that could harm privacy. Sounds good to me. - [PATCH 05/13] Do not trigger a download for subframes that webkit cannot handle. Presuming that would stop websites which use flash from causing surf to download crap.swf, and similar annoyances, then yes, definitely. - [PATCH 07/13] add random entropy to user-agent and accept-language headers. I definitely like the idea, but wonder whether the solution in the patch is a bit overkill. After all, if we're basically just trying to defeat hashing correlations, then one random byte at the end of each variable should be enough. Also, unless I'm misreading it, am I correct in thinking the user-agent string is fully random? I'm currently using one from an oldish firefox, to reduce fingerprintability a bit, and I get annoying warnings on github and a few other places as a result - isn't it better to use a common-ish UA string with some random crap on the end, so most stupid websites won't do something annoying? - [PATCH 09/13] Need this to apparently prevent a race condition when calling SETPROP() right after setatom(). - [PATCH 10/13] about:blank seems to not be needed for webkit, and makes a distinction without a difference, causing mismatches in URI comparison code. As I read the commit messages for these they're fixing straight-up bugs in surf. I haven't tested these patches yet, but they look sensible. Nick
