Brave still fails valve fingerprintjs (missing etag protection)

[ghost]

Description

Recently, there was an article about fingerprintjs and how brave is transiting to randomizing the values.
When trying the demo over : https://fingerprintjs.com/demo
brave fingerprint gets recorded, even after changing the settings to blocking all fingerprints and cross site cookies and trackers.
This issue also happens when setting the browser to clear everything as brave blog demonstrated.

Brave might not be removing etags as it's used in the demo.
Is Brave currently implementing etag protection?

Steps to Reproduce

1. make sure you are blocking fingerprints
2. Go to: https://fingerprintjs.com/demo
3. Close tab/browser. Try opening the site again.
4. Fingerprint and log is still there.

Actual result:

Fingerprint get recorded and stays the same.

Expected result:

Brave should be able to randomize the result.

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

1.8.59 Chromium: 81.0.4044.83 (Official Build) nightly (64-bit)
this also affects the latest stable release.

Version/Channel Information:

• Can you reproduce this issue with the current release? yes
• Can you reproduce this issue with the beta channel? probably
• Can you reproduce this issue with the dev channel? probably
• Can you reproduce this issue with the nightly channel? yes

Other Additional Information:

• Does the issue resolve itself when disabling Brave Shields? no
• Does the issue resolve itself when disabling Brave Rewards? no
• Is the issue reproducible on the latest version of Chrome? yes

Miscellaneous Information:

Current Workaround: The easiest workaround available right now that can make the site change fingerprint and ensure everything is deleted is to block all fingerprints through the shield.
Then installing site bleacher/cookie autodelete, and privacy possom.
The reason being: site bleacher/cookie autodelete will delete everything after leaving the domain. privacy possom will remove the etag used in the website. (brave shield doesn't seem to block that). After adding these extensions, brave browser will be able to produce a new fingerprint.

Note: privacy possom works by itself when setting brave to delete everything after each launch. This indicates that what's missing in the brave shield is etag protection.

[bsclifton]

cc: @pes10k

[pes10k]

Yep, fingerprinting protections are a cat and mouse game. The farbling features we've pushed already (and that are shipping in nightly) addresses canvas / webGL readback and web audio fingerprinting techniques. The full set of protections we're aiming for are here #8787, and currently under development.

You can see that these currently shipping protectons are working as expected (you can arbitrarily change the canvas and audio output and the fingerprint isn't affected), so the fingerprinting protection's we've shipped are already proving useful (since they give the fingerprinter less material to fingerprinting against). When we complete the 2.0 defenses, things will be even stronger.

https://brave.com/whats-brave-done-for-my-privacy-lately-episode-4-fingerprinting-defenses-2-0/ has more information as well.

@bsclifton I suggest marking this as a dupe, and we can just point to #8787 going forward.

If we need a second issue for eTAGs we can create one too (let me know if you'd like me too). We should be careful to not mix up etags and fingerpritning in general though, since they're very different problems (one is stateless, one is stateful).

@maljaroudi thank you for the issue! Please follow #8787 for further work on this!

[bsclifton]

Closing as a duplicate of #8787 😄