[tbb-bugs] #29348 [Applications/Tor Browser]: Add userChrome to Tor Browser to spoof scrollbars to reduce fingerprinting surface

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Feb 6 05:52:53 UTC 2019

#29348: Add userChrome to Tor Browser to spoof scrollbars to reduce fingerprinting
 Reporter:  concerneduser             |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:  Tor: unspecified
 Severity:  Normal                    |     Resolution:
 Keywords:  scrollbar fingerprinting  |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by Thorin):

 The viewport will be standardized in
 https://bugzilla.mozilla.org/show_bug.cgi?id=1407366 and you will not be
 able to calculate the scrollbar width. I assume - i.e. I am not entirely
 sure where the scrollbar ends up in this patch - against the edge of the
 inner window, or in the viewport

 Also note #22137 exists

 > Tor reports different values for the useragent in the HTTP header
 (Windows) and the JS navigator obj (Linux). This is strange

 Not at all. It's a compromise (see #26146 if you want a LONG read)
 JS/navigator reveals 4 OSes (due to breakage), but HTTP Headers is limited
 to 2 (to reduce entropy). Sites that provide functionality based on
 OS/platform use JS naturally to detect that. But not all is lost, because
 hopefully, when https://bugzilla.mozilla.org/show_bug.cgi?id=1519122
 lands, the JS/navigator can be reduced back to 2 OSes

 > there are other fingerprinting vectors that can still give your OS away

 Indeed. The fonts differ between Tor Browser bundles. See
 - the `[css] os` result.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29348#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list