[tbb-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 14 20:55:07 UTC 2017

#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201703, GeorgKoppen201703        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4

Comment (by gk):

 Replying to [comment:13 mcs]:
 > Here are a few items for Firefox 50:
 > a) We need to determine if the File and Directory Entries API adds any
 fingerprinting or linkability risk.
 >  https://developer.mozilla.org/en-

 That is #21742.

 > b) When reviewing bugs, Kathy and I noticed that there seem to be a lot
 of crasher bugs associated with DOM Animation, e.g., UAF bugs. I think
 this is disabled by default via:
 >  dom.animations-api.core.enabled = false
 > or maybe we also need to add the following if we want to turn it off
 >  dom.animations-api.element-animate.enabled
 > This might be something for the security slider eventually.

 Have you checked whether those crasher bugs made it ever into releases?
 The current metric for the slider was looking at sec-high and sec-critical
 bugs that got fixed on the release channel. Just looking at mozilla50
 might spoil our metrics.

 > c) As part of our release procedures, do we double-check the HPKP
 expiration? We do not want to have a repeat of the problem where the pins
 expired. Mozilla seems to have bugs for each release, e.g.,
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1307530

 Hey, that got mentioned in the mozilla49 notes already (see my reply in
 the previous comment). :)

 Additional things I have:

 d) The HTML Drag and Drop API is new and enabled by default allowing
 multiple items to being dragged and dropped (see:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1289255, and
 https://bugzilla.mozilla.org/show_bug.cgi?id=1298243). I opened #21741.

 e) Mozilla ships an own emoji font on Windows/Linux, we should make sure
 that does not interfere with our font fingerprinting defense (see:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1231701). That's #21740.

 f) SPDY 3.1 is disabled, we can get rid of our pref we set
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1287132). That is actually
 ripped out in Firefox 51. I opened #21739.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list