[tbb-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Feb 25 13:47:39 UTC 2017
#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
--------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, TorBrowserTeam201702 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: Sponsor4
--------------------------------------------+--------------------------
Comment (by mcs):
And here are our notes for Firefox 49:
a) Graphite font rendering has been re-enabled. We need to decide if we
want to disable it again or not.
b) Mozilla switched to compiling with Intel SSE2. We could do the same,
although it would mean that Tor Browser would not run on some really old
CPUs. Mozilla modified their Windows installer to notify and refuse to
install if the CPU does not support SSE2.
https://bugzilla.mozilla.org/show_bug.cgi?id=1271759
c) Kathy and I cannot think of any fingerprinting or linkability risks
associated with the Web Speech API, but it is a big new thing:
https://developer.mozilla.org/en-US/docs/Web/API/Web_Speech_API
https://bugzilla.mozilla.org/show_bug.cgi?id=1268633
d) We should verify that the "Network ID" is not even computed when
Telemetry is disabled. At least I would feel better if it was not.
https://bugzilla.mozilla.org/show_bug.cgi?id=1240932
e) The Bookmarks Toolbar is automatically shown when the user adds a
bookmark to it. This will change the window size, but maybe this is used
rarely enough that we do not care?
https://bugzilla.mozilla.org/show_bug.cgi?id=1219788
f) The window.isSecureContext API is interesting but may not add any
fingerprinting or linkability risks. We should think about whether
features that are being made "HTTPS only" should also be available on
.onion sites.
https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext
g) As part of our release procedures, do we double-check the HPKP
expiration? Mozilla seems to have bugs for each release, e.g.,
https://bugzilla.mozilla.org/show_bug.cgi?id=1307530
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list