As Firefox on Android does not offer it, I’ve developed an Add-on some time ago which integrates PDF.js for PDF viewing:
The problem is, that I actually inject parts of PDF.js into foreign websites and by doing that, expose my Add-on UUID. As this is “random” for this Add-on installation, at least in theory it allows to identify this exact browser.
What would you recommend to reduce this risk somewhat? Is this actually an issue as only a few people are using my Add-on and probably noone will care about fingerprinting it?
I could think of an webRequest.onBeforeRequest hook combined with webRequest/filterResponseData. This would in theory allow me to fake any random host name as source for my resources and catch it with my filter to deliver the contents. This approach would still allow to know that my Add-on is used, but at least I would no longer have a unique identifier per browser. Another small advantage would be that scripts, delivered this way, are no longer “privileged” in any way (same origin policy applies).