[tor-bugs] #12609 [TorBrowserButton]: HTML5 fullscreen API makes TB fingerprintable, disable it!

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Aug 22 14:16:03 UTC 2014


#12609: HTML5 fullscreen API makes TB fingerprintable, disable it!
----------------------------------+--------------------------------
     Reporter:  cypherpunks       |      Owner:  mikeperry
         Type:  defect            |     Status:  needs_revision
     Priority:  major             |  Milestone:
    Component:  TorBrowserButton  |    Version:
   Resolution:                    |   Keywords:  tbb-fingerprinting
Actual Points:                    |  Parent ID:
       Points:                    |
----------------------------------+--------------------------------

Comment (by faether):

 Replying to [comment:18 mikeperry]:

 > Just about the only thing that would convince me otherwise is if this
 fingerprinting could be done invisibly, without the user becoming aware of
 it via a full screen video suddenly playing.

 It can. The element does not have to be a video, and we can exit
 fullscreen mode right away (without user interaction) after the screen
 dimensions have been extracted.

 Here's a v2 proof of concept that leaves fullscreen after 500 ms.
 Obviously this flicker could be reduced much further (100 ms worked fine,
 10 ms didn't), but I'm not familiar enough with JavaScript and FS API race
 conditions to try.

 https://rawgit.com/anonymous/eceb468086375f942c2f/raw/36ea4683bdba6315e828026a9a97f23fba775320/fs-v2.html

 It's true that the proper fix would be to open the permission dialog
 ''before'' entering fullscreen mode, but I hope we can use this pref as a
 temporary bugfix until then.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12609#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list