make sure we have necessary fixes from Ungoogled Chromium

[diracdeltas]

People often ask how Brave compares to https://github.com/Eloston/ungoogled-chromium. This is a tracking issue to go through all the patches and options set in https://github.com/Eloston/ungoogled-chromium and make sure we have any that should be applied to Brave.

[rht]

I had gone through the inox-patchset (which is also applied in ungoogled-chromium) to find the mapping with the existing patches.

1. 1 Fix building without safebrowsing. N/A since the safebrowsing endpoint is rerouted to safebrowsing.brave.com (

   brave-browser/lib/config.js

   Line 40 in 14478b7

   this.safeBrowsingApiEndpoint = getNPMConfig(['safe_browsing_api_endpoint']) || 'safebrowsing.brave.com'

   ).
2. 2 Fix building without reporting. N/A since error reporting is available (rerouted to Brave servers), but disabled by default.
3. 3 Disable autofill download manager. make sure we have necessary fixes from Ungoogled Chromium #1431 (comment)
4. 4 Disable google url tracker. brave/brave-core@d49d88e
5. 5 Disable default extensions. Pending Add a comment specifying where to override existing GN config values brave-core#980.
6. 6 Modify default prefs. Some of them have been set in browser/brave_profile_prefs.cc, excpet for: kOfferTranslateEnabled, kBackgroundModeEnabled, kAutofillEnabled, kBuiltInDnsClientEnabled, kSignInPromoShowOnFirstRunAllowed, kCloudPrintConnectNewPrinters, kLocalDiscoveryNotificationsEnabled, kSafeBrowsingEnabled, kCredentialsEnableService, kCredentialsEnableAutosignin have yet to be disabled. kSignInPromoUserSkipped has yet to be enabled.
7. 7 Disable web resource service. https://github.com/brave/brave-core/blob/master/patches/chrome-browser-plugins-plugins_resource_service.cc.patch
8. 8 Restore classic ntp. make sure we have necessary fixes from Ungoogled Chromium #1431 (comment)
9. 9 Disable google ipv6 probes. Do not use Google DNS for IPv6 probes #2324
10. 10 Disable gcm status check. https://github.com/brave/brave-core/blob/master/patches/components-gcm_driver-gcm_client_impl.cc.patch
11. 11 Add ddg. https://github.com/brave/brave-core/blob/master/components/search_engines/brave_prepopulated_engines.cc
12. 12 Branding. N/A
13. 13 Disable missing key warning. brave/brave-core@53c9843
14. 14 Disable translation language fetch. https://github.com/brave/brave-core/blob/master/patches/components-translate-core-browser-translate_url_fetcher.cc.patch
15. 15 Disable update pings. make sure we have necessary fixes from Ungoogled Chromium #1431 (comment)
16. 16 Add -fPIE compilation flag. Not google-specific but helps to harden the binary.
17. 17 Disable new avatar menu. Not sure if required.
18. 18 Disable first run behavior. https://github.com/brave/brave-core/blob/master/patches/chrome-browser-ui-startup-startup_tab_provider.cc.patch
19. 19 Disable battery status service. make sure we have necessary fixes from Ungoogled Chromium #1431 (comment)
20. 20 Launcher branding. N/A
21. 21 Disable RLZ. RLZ is an identifier on where Chrome was downloaded and its installation week.

Other than disabling cloud print cloud print is disabled at https://github.com/brave/brave-core/blob/a07948dd2cb553cb7650d879b81f05f6f5bdcb35/browser/brave_profile_prefs.cc#L76-L80, but the extension is still installed. Patches 8 and 9, in particular, probably should be applied soon.

[rht]

Patches that are specific to ungoogled-chromium (https://github.com/Eloston/ungoogled-chromium/tree/master/patches/ungoogled-chromium), part 1/3.

note: items marked with '*', in my opinion, are optional (not specific to disconnecting from Google servers)

• u1 add-flag-for-search-engine-collection
• * u2 add-flag-to-configure-extension-downloading. This is optional.
• u3 add-flag-to-disable-beforeunload
• * u4 add-flag-to-enable-potentially-annoying-security-features. This is optional since it is not specifically about disconnecting from Google servers.
• u5 add-flag-to-force-punycode-hostnames. Upstream's policy: https://www.chromium.org/developers/design-documents/idn-in-google-chrome . (option to always show punycode encoding of international domain names #17232)
• * u6 add-flag-to-show-avatar-button. This is optional.
• u7 add-flag-to-stack-tabs
• * u8 add-ipv6-probing-option. This is optional since the ipv6 probe has been patched away from Google DNS in inox-patchset.
• * u9 add-suggestions-url-field. This is optional.
• u10 add-third-party-ungoogled. N/A
• * u11 block-trk-and-subdomains. Only relevant if the Iridium patch is applied.
• * u12 clear-http-auth-cache-menu-item. This is optional.

[pilgrim-brave]

3 Autofill download manager is disabled by modifying the command line in https://github.com/brave/brave-core/blob/master/app/brave_main_delegate.cc

[pilgrim-brave]

15 Disable update pings ... Brave implements its own configurator in https://github.com/brave/brave-core/blob/master/browser/component_updater/brave_component_updater_configurator.cc

[pilgrim-brave]

8 Restore classic ntp ... Brave implements its own new tab page, see for example https://github.com/brave/brave-core/blob/master/browser/ui/webui/brave_new_tab_ui.cc and related files

[pilgrim-brave]

19 Disable battery API ... this was originally disabled in brave/brave-core#114 and is still disabled, although the code looks different now. See https://github.com/brave/brave-core/blob/master/chromium_src/third_party/blink/renderer/modules/battery/battery_manager.cc for latest code.

[rht]

13 Disable missing key warning ... this is covered by brave/brave-core@53c9843.

[vordenken]

19 Disable battery API ... this was originally disabled in brave/brave-core#114 and is still disabled, although the code looks different now. See https://github.com/brave/brave-core/blob/master/chromium_src/third_party/blink/renderer/modules/battery/battery_manager.cc for latest code.

I tested my fingerprint using brave with https://amiunique.org/fp and the site can still access the battery api?
This is what the site reports back:

I would love to use brave as my main browser but this and a lot of other stuff is really weird to me. A "privacy-browser" should lock down these fingerprinting options as good as possible. For example, why can a website read my installed addons? Makes a lot of users unique just by this. EDIT: After posting, I read the newest changelog which includes information about this. So this point apparently is resolved.
Other fingerprinting apis that are not necessary and disabled in firefox by default:

• Keyboard layout
• Connection
  (Probably more but I'm no expert)

Safari also just gives default values back for stuff like fonts, which would also be a great idea.

[pes10k]

I'm going to close this out as non-actionable for the time being, and since its been quiet for about 1.5 years, and since all of the mentioned issues in the comments have been addressed. If more things come up we should grab or align w/ Ungoogled Chromium on though, lets open up more issues for them specifically