[tbb-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 13 16:14:49 UTC 2017
#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: task | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-7.0-must, | Actual Points:
TorBrowserTeam201703, GeorgKoppen201703 |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:12 mcs]:
> And here are our notes for Firefox 49:
>
> a) Graphite font rendering has been re-enabled. We need to decide if we
want to disable it again or not.
I opened #21726.
> b) Mozilla switched to compiling with Intel SSE2. We could do the same,
although it would mean that Tor Browser would not run on some really old
CPUs. Mozilla modified their Windows installer to notify and refuse to
install if the CPU does not support SSE2.
> https://bugzilla.mozilla.org/show_bug.cgi?id=1271759
The updater part is #19316 and the installer #21704.
> c) Kathy and I cannot think of any fingerprinting or linkability risks
associated with the Web Speech API, but it is a big new thing:
> https://developer.mozilla.org/en-US/docs/Web/API/Web_Speech_API
> https://bugzilla.mozilla.org/show_bug.cgi?id=1268633
Yeah, I think this is fine. Both synthesis and recognition seem to be off
anyway. pref("media.webspeech.synth.enabled", false);
pref("media.webspeech.recognition.enable", false);
> d) We should verify that the "Network ID" is not even computed when
Telemetry is disabled. At least I would feel better if it was not.
> https://bugzilla.mozilla.org/show_bug.cgi?id=1240932
#21727. Might have sandboxing implications as well as it needs
/proc/net/arp access on Linux e.g.
> e) The Bookmarks Toolbar is automatically shown when the user adds a
bookmark to it. This will change the window size, but maybe this is used
rarely enough that we do not care?
> https://bugzilla.mozilla.org/show_bug.cgi?id=1219788
Hm. I think that falls under #16456
> f) The window.isSecureContext API is interesting but may not add any
fingerprinting or linkability risks. We should think about whether
features that are being made "HTTPS only" should also be available on
.onion sites.
> https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext
Yes, this is a nice thing to look at, I opened #21728.
> g) As part of our release procedures, do we double-check the HPKP
expiration? Mozilla seems to have bugs for each release, e.g.,
> https://bugzilla.mozilla.org/show_bug.cgi?id=1307530
No, we don't right now. Mozilla has HPKP enabled for addons.mozilla.org
and other measures implemented
(https://bugzilla.mozilla.org/show_bug.cgi?id=1303127#c13). I think that's
okay until we solve this properly.
Other things I have:
h) Flyweb landed which seems crazy (https://wiki.mozilla.org/FlyWeb and
https://hacks.mozilla.org/2016/09/flyweb-pure-web-cross-device-
interaction) but it is disabled in ESR 52 (`dom.flyweb.enabled` is
`false`).
i) Canvas CSS/SVG filters are enabled by default
(https://bugzilla.mozilla.org/show_bug.cgi?id=1173545). We have #16341 for
that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list