[tor-bugs] #12609 [TorBrowserButton]: HTML5 fullscreen API makes TB fingerprintable, disable it!
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Aug 22 14:16:03 UTC 2014
#12609: HTML5 fullscreen API makes TB fingerprintable, disable it!
----------------------------------+--------------------------------
Reporter: cypherpunks | Owner: mikeperry
Type: defect | Status: needs_revision
Priority: major | Milestone:
Component: TorBrowserButton | Version:
Resolution: | Keywords: tbb-fingerprinting
Actual Points: | Parent ID:
Points: |
----------------------------------+--------------------------------
Comment (by faether):
Replying to [comment:18 mikeperry]:
> Just about the only thing that would convince me otherwise is if this
fingerprinting could be done invisibly, without the user becoming aware of
it via a full screen video suddenly playing.
It can. The element does not have to be a video, and we can exit
fullscreen mode right away (without user interaction) after the screen
dimensions have been extracted.
Here's a v2 proof of concept that leaves fullscreen after 500 ms.
Obviously this flicker could be reduced much further (100 ms worked fine,
10 ms didn't), but I'm not familiar enough with JavaScript and FS API race
conditions to try.
https://rawgit.com/anonymous/eceb468086375f942c2f/raw/36ea4683bdba6315e828026a9a97f23fba775320/fs-v2.html
It's true that the proper fix would be to open the permission dialog
''before'' entering fullscreen mode, but I hope we can use this pref as a
temporary bugfix until then.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12609#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list