GitLab

at 2024-09-02T11:54:45+02:00

fixup! Bug 42472: Spoof timezone in XSLT.

Revert "Bug 42472: Spoof timezone in XSLT."

This reverts commit 7bdf1f4f6cd90346da288435564ca67d1b0e58e5.

Bug 1891690: Return GMT when RFPTarget::JSDateTimeUTC is enabled. r=timhuang

Differential Revision: https://phabricator.services.mozilla.com/D216411
Bug 1912129: Reduce time precision for EXSLT date time function. r=timhuang

Differential Revision: https://phabricator.services.mozilla.com/D218783
Bug 42774: Always hide the third-pary certs UI.

     let canConfigureThirdPartyCerts =

       (AppConstants.platform == "win" || AppConstants.platform == "macosx") &&

       typeof Services.policies.getActivePolicies()?.Certificates

-        ?.ImportEnterpriseRoots == "undefined";

+        ?.ImportEnterpriseRoots == "undefined" &&

+      !AppConstants.BASE_BROWSER_VERSION;

     document.getElementById("certEnableThirdPartyToggleBox").hidden =

       !canConfigureThirdPartyCerts;

 ["browser_timezone.js"]

 lineno = "176"

+

+["browser_exslt_timezone_load.js"]

+

+["browser_exslt_time_precision.js"]
+/**

+ * Bug 1912129 - A test case for verifying EXSLT date will report second-precise

+ *               time fingerprinting resistance is enabled.

+ */

+

+function getTime(tab) {

+  const extractTime = function () {

+    const xslText = `

+    <xsl:stylesheet version="1.0"

+                    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

+                    xmlns:date="http://exslt.org/dates-and-times"

+                    extension-element-prefixes="date">

+      <xsl:output method="text" />

+      <xsl:template match="/">

+        <xsl:value-of select="date:date-time()" />

+      </xsl:template>

+    </xsl:stylesheet>`;

+

+    const parser = new DOMParser();

+    const xsltProcessor = new XSLTProcessor();

+    const xslStylesheet = parser.parseFromString(xslText, "application/xml");

+    xsltProcessor.importStylesheet(xslStylesheet);

+    const xmlDoc = parser.parseFromString("<test />", "application/xml");

+    const styledDoc = xsltProcessor.transformToDocument(xmlDoc);

+    const time = styledDoc.firstChild.textContent;

+

+    return time;

+  };

+

+  const extractTimeExpr = `(${extractTime.toString()})();`;

+

+  return SpecialPowers.spawn(

+    tab.linkedBrowser,

+    [extractTimeExpr],

+    async funccode => content.eval(funccode)

+  );

+}

+

+add_task(async function test_new_window() {

+  await SpecialPowers.pushPrefEnv({

+    set: [

+      ["privacy.fingerprintingProtection", true],

+      ["privacy.fingerprintingProtection.overrides", "+ReduceTimerPrecision"],

+    ],

+  });

+

+  // Open a tab for extracting the time from XSLT.

+  const tab = await BrowserTestUtils.openNewForegroundTab({

+    gBrowser,

+    opening: TEST_PATH + "file_dummy.html",

+    forceNewProcess: true,

+  });

+

+  for (let i = 0; i < 10; i++) {

+    // eslint-disable-next-line mozilla/no-arbitrary-setTimeout

+    await new Promise(res => setTimeout(res, 25));

+

+    // The regex could be a lot shorter (e.g. /\.(\d{3})/) but I wrote the whole

+    // thing to make sure the time is in the expected format and to allow us

+    // to re-use this regex in the future if we need to.

+    // Note: Date format is not locale dependent.

+    const regex = /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.(\d{3})[-+]\d{2}:\d{2}/;

+    const time = await getTime(tab);

+    const [, milliseconds] = time.match(regex);

+

+    is(milliseconds, "000", "Date's precision was reduced to seconds.");

+  }

+

+  BrowserTestUtils.removeTab(tab);

+  await SpecialPowers.popPrefEnv();

+});
+/**

+ * Bug 1891690 - A test case for verifying EXSLT date will use Atlantic/Reykjavik

+ *               timezone (GMT and "real" equivalent to UTC) after fingerprinting

+ *               resistance is enabled.

+ */

+

+function getTimeZone(tab) {

+  const extractTime = function () {

+    const xslText = `

+    <xsl:stylesheet version="1.0"

+                    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

+                    xmlns:date="http://exslt.org/dates-and-times"

+                    extension-element-prefixes="date">

+      <xsl:output method="text" />

+      <xsl:template match="/">

+        <xsl:value-of select="date:date-time()" />

+      </xsl:template>

+    </xsl:stylesheet>`;

+

+    const parser = new DOMParser();

+    const xsltProcessor = new XSLTProcessor();

+    const xslStylesheet = parser.parseFromString(xslText, "application/xml");

+    xsltProcessor.importStylesheet(xslStylesheet);

+    const xmlDoc = parser.parseFromString("<test />", "application/xml");

+    const styledDoc = xsltProcessor.transformToDocument(xmlDoc);

+    const time = styledDoc.firstChild.textContent;

+

+    return time;

+  };

+

+  const extractTimeExpr = `(${extractTime.toString()})();`;

+

+  return SpecialPowers.spawn(

+    tab.linkedBrowser,

+    [extractTimeExpr],

+    async funccode => content.eval(funccode)

+  );

+}

+

+add_task(async function test_new_window() {

+  await SpecialPowers.pushPrefEnv({

+    set: [

+      ["privacy.fingerprintingProtection", true],

+      ["privacy.fingerprintingProtection.overrides", "+JSDateTimeUTC"],

+    ],

+  });

+

+  // Open a tab for extracting the time zone from XSLT.

+  const tab = await BrowserTestUtils.openNewForegroundTab({

+    gBrowser,

+    opening: TEST_PATH + "file_dummy.html",

+    forceNewProcess: true,

+  });

+

+  SpecialPowers.Cu.getJSTestingFunctions().setTimeZone("America/Toronto");

+  const timeZone = await getTimeZone(tab);

+

+  ok(timeZone.endsWith("+00:00"), "Timezone was spoofed.");

+

+  BrowserTestUtils.removeTab(tab);

+  await SpecialPowers.popPrefEnv();

+});
       // http://exslt.org/date/functions/date-time/

       PRExplodedTime prtime;

-      PR_ExplodeTime(PR_Now(),

-                     nsContentUtils::ShouldResistFingerprinting(

-                         "We are not allowed to access the document at this "

-                         "stage (we are given a txEarlyEvalContext context).",

-                         RFPTarget::JSDateTimeUTC)

-                         ? PR_GMTParameters

-                         : PR_LocalTimeParameters,

-                     &prtime);

+      Document* sourceDoc = getSourceDocument(aContext);

+      NS_ENSURE_STATE(sourceDoc);

+

+      PRTimeParamFn timezone =

+          sourceDoc->ShouldResistFingerprinting(RFPTarget::JSDateTimeUTC)

+              ? PR_GMTParameters

+              : PR_LocalTimeParameters;

+

+      PRTime time =

+          sourceDoc->ShouldResistFingerprinting(RFPTarget::ReduceTimerPrecision)

+              ? (PRTime)nsRFPService::ReduceTimePrecisionAsSecs(

+                    (double)PR_Now() / PR_USEC_PER_SEC, 0,

+                    RTPCallerType::ResistFingerprinting) *

+                    PR_USEC_PER_SEC

+              : PR_Now();

+      PR_ExplodeTime(time, timezone, &prtime);

       int32_t offset =

           (prtime.tm_params.tp_gmt_offset + prtime.tm_params.tp_dst_offset) /

 bool txEXSLTFunctionCall::isSensitiveTo(ContextSensitivity aContext) {

   if (mType == txEXSLTType::NODE_SET || mType == txEXSLTType::SPLIT ||

-      mType == txEXSLTType::TOKENIZE) {

+      mType == txEXSLTType::TOKENIZE || mType == txEXSLTType::DATE_TIME) {

     return (aContext & PRIVATE_CONTEXT) || argsSensitiveTo(aContext);

   }

   return argsSensitiveTo(aContext);

Pier Angelo Vendrame pushed to branch base-browser-128.2.0esr-14.0-1 at The Tor Project / Applications / Tor Browser

Commits:

5 changed files:

Changes: