strips x-client-data headers from outgoing requests

src/_locales/en_US/messages.json

@@ -129,6 +129,10 @@
         "message": "Prevent WebRTC from leaking local IP address",
         "description": "Checkbox label on the general settings page"
     },
+    "options_x_client_data_setting": {
+        "message": "Remove \"x-client-data\" header from outgoing requests",
+        "description": "Checkbox label on the general settings page for removing the x-client-data header on chromium browsers"
+    },
     "intro_welcome": {
         "message": "Privacy Badger automatically learns to block invisible trackers. Take a minute to see how.",
         "description": "Intro page welcome paragraph."

src/js/background.js

@@ -844,6 +844,7 @@ Badger.prototype = {
     learnLocally: false,
     migrationLevel: 0,
     preventWebRTCIPLeak: false,
+    removeXClientDataHeaders: false,
     seenComic: false,
     sendDNTSignal: true,
     showCounter: true,
@@ -1125,6 +1126,12 @@ Badger.prototype = {
     return this.getSettings().getItem("checkForDNTPolicy");
   },
 
+  isRemoveXClientDataHeaderEnabled: function() {
+    if (!chrome.runtime.getBrowserInfo) {
+      return this.getSettings().getItem("removeXClientDataHeaders");
+    }
+  },
+
   isFlocOverwriteEnabled: function() {
     if (document.interestCohort) {
       return this.getSettings().getItem("disableFloc");

src/js/options.js

@@ -168,6 +168,22 @@ function loadOptions() {
       });
   }
 
+  // only show the x-client-data header setting if in Chrome & Chromium browsers
+  // TODO: more accurate way to determine this is a Chrome or Chromium browser
+  if (!chrome.runtime.getBrowserInfo) {
+    $("#remove-x-client-data-toggle").show();
+    $("#toggle-x-client-data-header-mode")
+      .prop("checked", OPTIONS_DATA.settings.removeXClientDataHeaders)
+      .on("click", function () {
+        const removeXClientDataHeaders = $("#toggle-x-client-data-header-mode").prop("checked");
+
+        chrome.runtime.sendMessage({
+          type: "updateSettings",
+          data: { removeXClientDataHeaders }
+        });
+      });
+  }
+
   if (OPTIONS_DATA.webRTCAvailable && OPTIONS_DATA.legacyWebRtcProtectionUser) {
     $("#webRTCToggle").show();
     $("#toggle_webrtc_mode")

src/js/webrequest.js

@@ -203,14 +203,18 @@ function onBeforeSendHeaders(details) {
     type = details.type,
     url = details.url;
 
+  // option to remove x-client-data headers as well
+  const removeXClientData = badger.isRemoveXClientDataHeaderEnabled();
+
   if (_isTabChromeInternal(tab_id)) {
     // DNT policy requests: strip cookies
     if (type == "xmlhttprequest" && url.endsWith("/.well-known/dnt-policy.txt")) {
       // remove Cookie headers
       let newHeaders = [];
+
       for (let i = 0, count = details.requestHeaders.length; i < count; i++) {
         let header = details.requestHeaders[i];
-        if (header.name.toLowerCase() != "cookie") {
+        if (header.name.toLowerCase() != "cookie" || (removeXClientData && header.name.toLowerCase() != 'x-client-data')) {
           newHeaders.push(header);
         }
       }
@@ -256,10 +260,10 @@ function onBeforeSendHeaders(details) {
   if (action == constants.COOKIEBLOCK || action == constants.USER_COOKIEBLOCK) {
     let newHeaders;
 
-    // GET requests: remove cookie headers, reduce referrer header to origin
+    // GET requests: remove cookie (and x-client-data if option is set) headers, reduce referrer header to origin
     if (details.method == "GET") {
       newHeaders = details.requestHeaders.filter(header => {
-        return (header.name.toLowerCase() != "cookie");
+        return (header.name.toLowerCase() != "cookie" || (removeXClientData && header.name.toLowerCase() != 'x-client-data'));
       }).map(header => {
         if (header.name.toLowerCase() == "referer") {
           header.value = header.value.slice(
@@ -270,10 +274,10 @@ function onBeforeSendHeaders(details) {
         return header;
       });
 
-    // remove cookie and referrer headers otherwise
+    // remove cookie, referrer (and x-client-data if option is set) otherwise
     } else {
       newHeaders = details.requestHeaders.filter(header => {
-        return (header.name.toLowerCase() != "cookie" && header.name.toLowerCase() != "referer");
+        return (header.name.toLowerCase() != "cookie" && header.name.toLowerCase() != "referer" && (removeXClientData && header.name.toLowerCase() != 'x-client-data'));
       });
     }
 

src/skin/options.html

@@ -252,6 +252,14 @@ <h4 class="i18n_options_advanced_settings"></h4>
           </span>
         </label>
       </div>
+      <div class="checkbox" id="remove-x-client-data-toggle" style="display:none">
+        <label>
+          <input type="checkbox" id="toggle-x-client-data-header-mode">
+          <span>
+            <span class="i18n_options_x_client_data_setting"></span>
+          </span>
+        </label>
+      </div>
 
     </form>
   </div>