<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:859515878;
mso-list-type:hybrid;
mso-list-template-ids:-1397879206 269025295 269025305 269025307 269025295 269025305 269025307 269025295 269025305 269025307;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p><span style="mso-fareast-language:EN-US">Hi </span>Kevin,<o:p></o:p></p>
<p>This is a great idea!<o:p></o:p></p>
<p>I have a few optional nitpicks:<o:p></o:p></p>
<ol start="1" type="1">
<li style="mso-list:l0 level1 lfo1">Rather than check if the website supports HTTPS or if it loads JS over HTTPS, it might be worth considering just checking if it works in HTTPS-only mode (in other words, if there was *<b>any</b>* non-HTTPS content.) This
seems more timely with Firefox and other browsers slowing rolling out HTTPS-only modes.<o:p></o:p></li><li style="mso-list:l0 level1 lfo1">I am not sure if auto-play is necessarily a bad thing. IRCC even non-tbb browsers like brave stop auto-play and make certain media click-to-play.<o:p></o:p></li><li style="mso-list:l0 level1 lfo1">It may not be the case that the APIs blocked or fuzzed by Tor Browser are necessarily bad, for instance, people may use the canvas for good (like cropping images or converting formats) so it may be worth emphasizing that
in the wording (compared to say the HTTPS test where you could be more forceful).<o:p></o:p></li><li style="mso-list:l0 level1 lfo1">Also, as usual, this list is subject to change, so it might be valuable to have an update mechanism in place from the start.<o:p></o:p></li></ol>
<p>Thanks again for sharing your idea here.<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Best,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Sanketh<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> tbb-dev <tbb-dev-bounces@lists.torproject.org>
<b>On Behalf Of </b>Kevun<br>
<b>Sent:</b> Friday, April 09, 2021 11:19 AM<br>
<b>To:</b> tbb-dev@lists.torproject.org; ux@lists.torproject.org<br>
<b>Subject:</b> [tbb-dev] Tor Browser Friendliness Scanner: Seeking Feedback<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hello all! <o:p></o:p></p>
<p>After a year away from my Tor related research, I'm finally back at it. As I've introduced in the past [1] I wanted to build a Tor Browser Friendliness scanner that would scan the web and rate the Tor Browser friendliness of web pages. Unfortunately time
got away from me for personal reasons, but I finally got the chance to work on the scanner and I feel it's close to being ready to run.
<o:p></o:p></p>
<p>To re-introduce the concept: the scanner checks a web page for evidence of some activity that would likely cause the site to not render or run properly on the Tor Browser. This includes the tests listed below, which are motivated by the Tor Browser Design
Document [2] and our own experiences analyzing what broke on the Tor Browser during analysis of some randomly selected websites.
<o:p></o:p></p>
<p><b><u>Tests</u></b><o:p></o:p></p>
<p>1. Checks to see if the site supports HTTPS. If not, there's a problem. <br>
2. Checks to see if the site serves JavaScript over HTTP. If not, there could be a problem on the Safer setting of the Tor Browser Security Slider,
<br>
3. Checks to see if there is auto-played media or hidden media. This could cause issues on the Safer setting of the Tor Browser Security Slider.
<br>
4. Checks to see if there is any evidence of usage of the following JavaScript libraries/functionalities. These were taken from the draft of the Tor Browser Design Document.
<br>
01. asm <br>
02. battery status <br>
03. game pad <br>
04. graphite <br>
05. media devices <br>
06. navigator online <br>
07. sensor <br>
08. network connection <br>
09. touch <br>
10. web audio <br>
11. webgl <br>
12. webrtc <br>
13. web speech <br>
14. HTML canvas <br>
5. Checks to see if the page contains JAR files or Flash files. <br>
6. Checks to see if the page contains chrome:// or <a href="resource://">resource://</a> links.<o:p></o:p></p>
<p>Given this information, I have a few questions. <o:p></o:p></p>
<p>1. What other tests should I add, if any? <br>
2. Is there any other feedback on this idea that you'd like to provide?<o:p></o:p></p>
<p>Please keep in mind that I intend on releasing the source code soon. At the moment it's in an "academic code" state, and I want to clean it up before release.<o:p></o:p></p>
<p>Thanks,<o:p></o:p></p>
<p>Kevin <o:p></o:p></p>
<p>References:<o:p></o:p></p>
<p>[1] <a href="https://lists.torproject.org/pipermail/tor-dev/2019-March/013731.html">
https://lists.torproject.org/pipermail/tor-dev/2019-March/013731.html</a><o:p></o:p></p>
<p>[2] <a href="https://2019.www.torproject.org/projects/torbrowser/design/">https://2019.www.torproject.org/projects/torbrowser/design/</a><o:p></o:p></p>
</div>
</body>
</html>