12

HTML5 has a feature set relating to client battery status. It has been described as a privacy hole, as it can be used to track and identify web users. Research suggests the features can be used even to identify users using VPN or private browsing mode.

Which browsers are affected, and how can I disable these features?

Gruber
  • 1,084
  • 1
  • 8
  • 19

2 Answers2

8

Firefox

From Firefox 52, the battery API has been disabled and is only available to chrome/privileged code (I would assume add-ons fall into this category). For earlier versions, the battery API is enabled by default. It can be disabled by going to to about:config and setting the dom.battery.enabled to false. Changes take effect immediately on subsequent page loads.


Chrome & Android

Both the mobile and desktop version are affected. This feature is enabled by default and there doesn't seem to be any way to disable it yet, though you shouldn't be using Chrome at all if you care about privacy.

The Android browser is affected since version 40, without any way to disable it either.


Internet explorer

The feature is under consideration and isn't (yet?) implemented in any current versions.


Safari

This feature isn't currently implemented in any versions, neither desktop nor mobile.


Opera

Opera on desktop is affected, the feature is enabled without any way to disable it. Opera Mini isn't affected.


Here's a demo you can use to check whether you're vulnerable. There is also Can I use which provides fairly up to date information about which features are supported in browsers. I'll do my best to keep this answer up to date but I suggest you double check on there just in case something changed.

André Borie
  • 12,706
  • 3
  • 39
  • 76
1

I found a way to prevent the use of this API using javascript. Worked for me in chrome and firefox (Desktop version).

(function(navi){
   var nnav = new Proxy(navi,{
      get:function(t,p){
         if(p == "getBattery" || p == "battery"){
             return void(0);
         }
         if(t[p] instanceof Function){
             return t[p].bind(navi);
         }
         return t[p];
      },
      has:function(t,p){
         if(p == "getBattery" || p == "battery"){
            return false;
         }
         return p in navi;
      }
   });

   Object.defineProperty(window,"navigator",{
      configurable: false,
      enumberable: false,
      value:nnav,
      writable:false,
   });
})(window.navigator);

for desktop versions you could use greasemonkey or such to run this script before any scripts in the document run, preventing any use of the API. For mobile devices the problem would be running it automated before document scripts run. You could save it as bookmarklet but if the sides script runs before you run the bookmarklet it might stores an unmodified navigator object. (+you could forget the bookmarklet)

JohnD03
  • 11
  • 1