Whitelisting with default profile does not disable options

[TeaDrinkingProgrammer]

Prerequisites

Please use issues for bugs only! Answer the following questions for yourself before submitting an issue: YOU MAY DELETE THE PREREQUISITES SECTION.

• I am running the latest version
• I checked the documentation and found no answer
• I checked to make sure that this issue has not already been filed

Expected Behavior

Expect Chameleon to be fully disabled when whitelisting a website. I need some websites to not be modified by Chameleon, like my calender (I need UTC timezone to be disabled)

Current Behavior

Chameleon only disables user agent spoofing, not the other options

Relevant settings

Context (Environment)

{
  "config": {
    "enabled": true,
    "notificationsEnabled": false,
    "theme": "dark",
    "reloadIPStartupDelay": 0,
    "hasPrivacyPermission": true
  },
  "excluded": [
    "win4-ie",
    "win1-edg",
    "win1-esr",
    "win1-esr2",
    "win1-ff",
    "win1-gcr",
    "win1-ie",
    "win2-ie",
    "win3-ie",
    "win2-edg",
    "win2-esr",
    "win2-esr2",
    "win2-ff",
    "win2-gcr",
    "win3-edg",
    "win3-esr",
    "win3-esr2",
    "win3-ff",
    "win3-gcr",
    "win4-esr",
    "win4-esr2"
  ],
  "headers": {
    "blockEtag": true,
    "enableDNT": false,
    "referer": {
      "disabled": false,
      "xorigin": 0,
      "trimming": 0
    },
    "spoofAcceptLang": {
      "enabled": true,
      "value": "default"
    },
    "spoofIP": {
      "enabled": true,
      "option": 0,
      "rangeFrom": "",
      "rangeTo": ""
    }
  },
  "ipRules": [],
  "options": {
    "cookieNotPersistent": false,
    "cookiePolicy": "reject_trackers_and_partition_foreign",
    "blockMediaDevices": false,
    "blockCSSExfil": true,
    "disableWebRTC": true,
    "firstPartyIsolate": false,
    "limitHistory": true,
    "protectKBFingerprint": {
      "enabled": true,
      "delay": 1
    },
    "protectWinName": true,
    "resistFingerprinting": true,
    "screenSize": "default",
    "spoofAudioContext": true,
    "spoofClientRects": true,
    "spoofFontFingerprint": true,
    "spoofMediaDevices": true,
    "timeZone": "default",
    "trackingProtectionMode": "private_browsing",
    "webRTCPolicy": "default",
    "webSockets": "allow_all"
  },
  "profile": {
    "selected": "random",
    "interval": {
      "option": 60,
      "min": 1,
      "max": 1
    },
    "showProfileOnIcon": true
  },
  "version": "0.22.49.1",
  "whitelist": {
    "enabledContextMenu": true,
    "defaultProfile": "none",
    "rules": [
      {
        "id": "af3b403a-8502-4626-81af-134c4e6ff929",
        "name": "Default",
        "sites": [
          {
            "domain": "https://brightspace.avans.nl"
          },
          {
            "domain": "https://rooster.avans.nl"
          },
          {
            "domain": "https://duckduckgo.com"
          },
          {
            "domain": "cloud.van-houwelingen.net"
          }
        ],
        "lang": "en-US",
        "profile": "none",
        "spoofIP": "",
        "options": {
          "audioContext": false,
          "clientRects": false,
          "cssExfil": false,
          "mediaDevices": false,
          "name": false,
          "ref": false,
          "tz": false,
          "ws": false
        }
      }
    ]
  }
}

118.0

[sereneblue]

Hi @TeaDrinkingProgrammer,

The issue seems to be the resist fingerprinting option. When a user checks that option, Firefox's RFP feature is enabled. Chameleon's whitelist can only control things that Chameleon is directly spoofing. Unfortunately, RFP does tend to break sites, so you have to be careful when using it.

[TeaDrinkingProgrammer]

I don't think that's the case, because when I disable/remove the plugin, the page works again. It also specifically gives me a warning about the UTC timezone with Chameleon enabled but not when it is disabled:
With Chameleon: "The automatically detected timezone is UTC. This is probably due to a security-measure by your browser. Set the timezone manually in the settings". The dark theme also disables.

Without Chameleon:

[sereneblue]

If you disable/remove Chameleon, RFP could be disabled. The only options that can modify the timezone in Chameleon is the timezone spoofing or enabling resist fingerprinting. If UTC is being shown and you're not spoofing the timezone to be UTC, RFP is very likely to be enabled. You can confirm this by leaving the spoof timezone value as default and disabling RFP in Chameleon and reloading the page you're experiencing issues with. RFP would also explain why the dark theme is not being used.

[v0ff4k]

Very disappointed with addon, after update, i realize that white list is useless, on all sites i see:

<script id="chameleon">.... whatever content is xml or json (

[sereneblue]

@TeaDrinkingProgrammer Were you able to confirm if RFP was active?

@v0ff4k That script is normally removed, it was only visible due to debug code accidentally included in the v0.22.57 version. It's fixed now in the latest version. Some settings that Chameleon can toggle, like RFP and cookie policy override, are browser level preferences that override extenstions. Unfortunately, there isn't a way to exempt domains for those settings using the WebExtension API.