[tor-bugs] #1517 [Tor Browser]: Provide JS with reduced time precision

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 8 06:41:28 UTC 2015


#1517: Provide JS with reduced time precision
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:
  mikeperry              |     Status:  needs_review
         Type:           |  Milestone:
  enhancement            |    Version:
     Priority:  major    |   Keywords:  backport-to-mozilla, tbb-torbutton,
    Component:  Tor      |  tbb-fingerprinting-time-highres, ff38-esr,
  Browser                |  TorBrowserTeam201505R, PearlCrescent201505R
   Resolution:           |  Parent ID:
Actual Points:           |
       Points:  10       |
-------------------------+-------------------------------------------------

Comment (by mikeperry):

 Replying to [comment:30 mcs]:
 > Replying to [comment:25 mikeperry]:
 > > Here's a patch that should make all JS clock sources and event
 timestamps have 100ms resolution, except for keypress events, which should
 have 250ms resolution: https://gitweb.torproject.org/user/mikeperry/tor-
 browser.git/commit/?h=bug1517. It also clamps internal usage of
 DOMHighResTimestamps to 1 microsecond, to avoid internal sidechannels and
 other leaks.
 >
 > Kathy and I reviewed this and the changes look OK.  It is hard to say
 what might break though.
 >
 > One question: do you know how the ToMilliseconds() and ToMicroseconds()
 calls inside xpcom/ds/TimeStamp.h are exposed to web content?  Is
 ToSeconds() exposed as well?  If so, we should also reduce the resolution
 of values returned by ToSeconds().

 ToMicroseconds() is exported to content by window.performance.now(). I
 think ToMilliseconds the underlying call to obtain the timesource for
 nsDOMEvents (though at the moment I'm not 100% certain exactly what made
 me believe this, but some casual grepping shows that it is used everywhere
 in the codebase). I didn't touch ToSeconds() because its implementation is
 highly platform dependent, and it is only used in the animation code. It
 did not appear exposed directly to content.

 I will verify all this with deeper inspection tomorrow.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1517#comment:31>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list