[tbb-bugs] #22074 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF52esr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 8 20:14:48 UTC 2018
#22074: Review Firefox Developer Docs and Undocumented bugs since FF52esr
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff60-esr, TorBrowserTeam201806 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
Comment (by mcs):
Here are the items that Kathy and I found so far that we do not think are
covered by other open tickets:
Support for the `dom.enable_user_timing` pref, which we set to `false`,
has been removed. We may need to restore support for this pref.
Support for CSS masks was added and may represent a fingerprinting risk
(e.g., if behavior is different for different platforms or GPUs).
Support for CSS Transition events was added (transitionstart,
transitionrun, and transitioncancel). This may pose risks similar to CSS
animations; see #18273.
Support for these WebGL extensions was added. We should verify that both
are disabled by our setting `webgl.disable-extensions` to `false`.
The SVGGeometryElement interface has been partially implemented. We should
verify that it does not add a fingerprinting risk due to methods such as
SVGGeometryElement.getPointAtLength() which locates a point part way along
an arbitrary path.
Support for CSS clip-path on shapes was added. We should verify that this
does not have any associated fingerprinting risks. There was a pref to
disable this feature, but support for the pref was removed during the
ESR60 development cycle.
As we know, support for HTTP 1.x pipelining was removed. We should remove
the related prefs from browser/app/profile/000-tor-browser.js
The date and time <input> types are now enabled. We should verify that
this does not leak the user's locale, e.g., if the input field dimensions
are different in different locales. There is a `dom.forms.datetime` pref
that may be used to remove support for these <input> types.
window.requestIdleCallback() is now available. We should determine whether
it may be used to learn too much about the performance of the user's
computer/device, or if there are other timing leaks we want to avoid. This
can be disabled by setting `dom.requestIdleCallback.enabled` to `false`.
Support the Intersection Observer API was added. It "provides a way to
asynchronously observe changes in the intersection of a target element
with an ancestor element or with a top-level document's viewport." and may
add linkability or fingerprinting risks.
The window.pageYOffset/pageXOffset/scrollX/scrollY properties now return
data withe subpixel accuracy. We think this means "half pixels on a macOS
Retina or other high resolution display." Does this pose any
fingerprinting risks? We may already round these when
`privacy.resistFingerprinting` is `true`.
A name property was added to Worker() and SharedWorker(). We don't think
this adds any new linkability risks though since workers can already
communicate via messages.
Support for <link rel="preload"> was added in Firefox 56 but it was
disabled in Firefox 57 "because of various web compatibility issues." We
should verify that this is still disabled or ensure that it is subject to
Support was added for some new system color values (`-moz-win-accentcolor`
and `-moz-win-accentcolortext`) as well as a `-moz-windows-accent-color-
in-titlebar` media query. It looks like the colors are correctly spoofed
when `ui.use_standins_for_native_colors` = `true` but the media query may
add a fingerprinting risk.
Hardware-based encoding for media is now enabled by default on Android. We
are not sure if this is a problem or not.
Various international APIs and enhancements to existing APIs were added.
We should review them to make sure locale info, etc. is not leaked when
`privacy.resistFingerprinting` is `true`.
Firefox now implements a TLS handshake timeout with a default value of 30
seconds. Previously, it was a lot longer (maybe the same as the system TCP
connect timeout, which is typically on the order of 10 minutes). We should
decide whether we need a longer timeout for Tor-based browsing, e.g., 2 or
As of Firefox 59, Apple's HTTPS Live Streaming (HLS) protocol is supported
on Android for both audio and video. We should audit this or at least look
at how it is implemented. Mozilla says: "There is not currently any plan
to implement it on Firefox Desktop."
The Web Authentication API has been enabled. We should audit it or at
least understand it better, or we should disable it by setting
`security.webauth.webauthn` = `false`.
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22074#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs