[tbb-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr

Tue Mar 14 20:55:07 UTC 2017

#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201703, GeorgKoppen201703        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:13 mcs]:
 > Here are a few items for Firefox 50:
 >
 > a) We need to determine if the File and Directory Entries API adds any
 fingerprinting or linkability risk.
 >  https://developer.mozilla.org/en-
 US/docs/Web/API/File_and_Directory_Entries_API

 That is #21742.

 > b) When reviewing bugs, Kathy and I noticed that there seem to be a lot
 of crasher bugs associated with DOM Animation, e.g., UAF bugs. I think
 this is disabled by default via:
 >  dom.animations-api.core.enabled = false
 > or maybe we also need to add the following if we want to turn it off
 completely?
 >  dom.animations-api.element-animate.enabled
 > This might be something for the security slider eventually.

 Have you checked whether those crasher bugs made it ever into releases?
 The current metric for the slider was looking at sec-high and sec-critical
 bugs that got fixed on the release channel. Just looking at mozilla50
 might spoil our metrics.

 > c) As part of our release procedures, do we double-check the HPKP
 expiration? We do not want to have a repeat of the problem where the pins
 expired. Mozilla seems to have bugs for each release, e.g.,
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1307530

 Hey, that got mentioned in the mozilla49 notes already (see my reply in
 the previous comment). :)

 Additional things I have:

 d) The HTML Drag and Drop API is new and enabled by default allowing
 multiple items to being dragged and dropped (see:
 https://bugzilla.mozilla.org/show_bug.cgi?id=906420,
 https://bugzilla.mozilla.org/show_bug.cgi?id=1289255, and
 https://bugzilla.mozilla.org/show_bug.cgi?id=1298243). I opened #21741.

 e) Mozilla ships an own emoji font on Windows/Linux, we should make sure
 that does not interfere with our font fingerprinting defense (see:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1231701). That's #21740.

 f) SPDY 3.1 is disabled, we can get rid of our pref we set
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1287132). That is actually
 ripped out in Firefox 51. I opened #21739.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online