[tbb-bugs] #18545 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF38esr

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 29 20:32:28 UTC 2016


#18545: Review Firefox Developer Docs and Undocumented bugs since FF38esr
--------------------------------------------+--------------------------
 Reporter:  gk                              |          Owner:  tbb-team
     Type:  task                            |         Status:  new
 Priority:  Very High                       |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Critical                        |     Resolution:
 Keywords:  ff45-esr, TorBrowserTeam201604  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:  SponsorU
--------------------------------------------+--------------------------

Comment (by brade):

 Kathy and I reviewed all of the release notes and developer docs for
 Firefox 39-45. We have not yet looked at the complete bug lists
 (comment:17). Here are some things that might be worth another look (some
 of these may have been looked at in more detail by gk already):

 CacheStorage. It seems that this can be used by Web Workers and regular JS
 code (not just by Service Workers).
 https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage

 Server logging. This is kind of a strange feature: server applications can
 return an X- HTTP header to cause items to be logged to the developer
 console. Maybe it is only done when the console is open and the user is
 monitoring network requests (I am not sure). Kathy and I do not like the
 idea that this is enabled, but it may be harmless.
 https://developer.mozilla.org/en-
 US/docs/Tools/Web_Console/Console_messages#Server

 window.screen.orientation. This is possibly a fingerprinting vector unless
 it always returns "landscape-primary" on desktop Firefox (it may still be
 an issue for Orfox). Or did we decide that applications can derive this
 kind of info from the window size/aspect ratio anyway?
 https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation

 Navigator.onLine. This can be used to monitor the connected state of a
 user's computer. We can disable it by setting network.manage-offline-
 status = false.
 https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine

 Enable H.264 if system decoder is available (Linux). Kathy and I do not
 know enough about the world of video decoders to know if this could be a
 significant fingerprinting vector.
 https://bugzilla.mozilla.org/show_bug.cgi?id=1213499

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18545#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list