[tbb-bugs] #21787 [Applications/Tor Browser]: Make sure exposing the calendar information does not leak the locale

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 14 12:57:15 UTC 2018 

#21787: Make sure exposing the calendar information does not leak the locale
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:
                                                 |  needs_revision
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-fingerprinting, ff60-esr         |  Actual Points:
  TorBrowserTeam201808                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by gk):

 * keywords:  tbb-fingerprinting, ff60-esr TorBrowserTeam201808R => tbb-
     fingerprinting, ff60-esr TorBrowserTeam201808
 * status:  needs_review => needs_revision


Comment:

 Replying to [comment:7 arthuredelstein]:
 > This API remains chrome-only. I think there's no intention to expose it
 to content. So I would suggest closing this ticket.

 Ugh, that took me quite some time... What do you mean with "chrome-only"?
 It seems content might be able to get a user to trigger the API via the
 `<input>` element, no? See  https://blog.nightly.mozilla.org/2017/06/12
 /datetime-inputs-enabled-on-nightly/ for some examples: there is
 definitely a localization component that is exposed to content. Not sure
 if JS can made to access that directly but I bet that at least the
 resulting rendering differences might give a hint about a possible used
 locale. This is "no issue" for the Tor Browser alpha but only as our
 content policy hack breaks this feature. We are about to remove it,
 though.

 See: https://bugzilla.mozilla.org/show_bug.cgi?id=1283384 and
 https://bugzilla.mozilla.org/show_bug.cgi?id=1329589 for some context.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21787#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list