Fuzzyfox[0] is an implementation of a research idea that severely limits the data that can be extracted by timing side channels exploited by untrusted JavaScript. It effectively provides a knob that allows one to control the amount of data that can be extracted by controlling the coarseness and fuzziness of the clock used by the browser. In comparison to our existing clock fuzziness enabled now, it operates in the context of the entire browser, rather than just the explicit timers and clocks exposed to untrusted JavaScript - therefore it also mitigates the data that can be extracted by constructed clocks relying on e.g. web animations.
Unfortunately it does not address the fact that Shared Array Buffer can be turned into a precise timer, it was written in the early days of SAB and produces its results by disabling it.
We landed it two years ago[1], and had intended to explore it further if needed for Spectre, as well as see if it could be used practically to mitigate the multiple and various timing attacks that have been demonstrated in browsers to steal user browser history, cross-application user activity, cross-origin images or frame data, etc etc.
We've never gotten to that examination, and it seems that we might never; so in the interest of clarity and cleanliness it makes sense to remove it.
Presently, if you enable privacy.fuzzyfox.enabled you will switch over to Fuzzyfox mode. You will probably experience some jank and bowser slowdown. Fuzzyfox affects the entire browser, and that does include sleeping on the main thread[2] in certain circumstances. Had time been available, the next steps would have been to get profiles of poor browser behavior under Fuzzyfox, and try to understand why they were occuring. (Setting privacy.fuzzyfox.clockgrainus too coarse would cause expected slowness, but 250 ought to be a usable number, ideally 1000.)
This work will be done in https://bugzilla.mozilla.org/show_bug.cgi?id=1666222
-tom
[0] https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presen... [1] https://bugzilla.mozilla.org/show_bug.cgi?id=fuzzyfox [2] https://searchfox.org/mozilla-central/rev/02cb78667e87ccc42fea5edc6f3f2dd2ed...