[tor-bugs] #16090 [Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF31esr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 19 01:40:28 UTC 2015
#16090: Review Firefox Developer Docs and Undocumented bugs since FF31esr
-------------------------+-------------------------------------------------
Reporter: | Owner: mikeperry
mikeperry | Status: new
Type: task | Milestone:
Priority: normal | Version:
Component: Tor | Keywords: ff38-esr, TorBrowserTeam201505,
Browser | MikePerry201505
Resolution: | Parent ID:
Actual Points: |
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
Firefox 38:
* Fingerprinting concerns:
* KeyboardEvent.location and especially KeyboardEvent.code may leak
keyboard hardware details
* https://developer.mozilla.org/en-US/docs/Web/HTML/Element/picture has
device-specific media queries
* The User Timing API (Performance.*) may be another high-res timesource
* https://developer.mozilla.org/en-US/docs/Web/API/TextEncoder may leak
OS encoding differences?
* Tracking issues:
* https://developer.mozilla.org/en-US/docs/Web/API/BroadcastChannel
allows cross-site communication
* https://developer.mozilla.org/en-US/docs/Web/API/GlobalFetch/fetch and
https://developer.mozilla.org/en-US/docs/Web/API/Request may need caching
isolation
* WebSockets are available in WebWorkers. We need to double-check
against fresh DNS leaks.
Firefox 37:
* Fingerprinting concerns:
* https://developer.mozilla.org/en-
US/docs/Web/API/KeyboardEvent.key#Key_values
* https://developer.mozilla.org/en-US/docs/Web/API/OfflineAudioContext
may leak OS information about audio processing capabilities?
* Tracking issues:
* IndexedDB is available to WebWorkers. We should verify it remains
disabled.
Firefox 36:
* Fingerprinting:
* WebGL 2.0
* https://developer.mozilla.org/en-
US/docs/Web/API/MediaDevices/enumerateDevices may leak info about
connected hardware
* https://developer.mozilla.org/en-US/docs/Web/API/AnimationPlayer may
expose high-res timestamps?
* Tracking concerns:
* https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/Symbol claims to be
runtime-wide. I wonder if there are any potential leaks here?
* EME first appeared
* General notes:
* -remote was removed from the command line args. Does this mean our
remoting prevention hacks may break?
Firefox 35:
* Fingerprinting:
* https://developer.mozilla.org/en-US/docs/Web/API/NavigatorLanguage
* Canvas filters: https://developer.mozilla.org/en-
US/docs/Web/API/CanvasRenderingContext2D/filter
* Resource Timing API
(https://bugzilla.mozilla.org/show_bug.cgi?id=1002855)
* ImageCapture API may leak hardware details (like camera
availability)?
Firefox 34:
* Fingerprinting:
* Performance.now is exposed to WebWorkers
Firefox 33:
* Nothing I noticed
Firefox 32:
* Fingerprinting:
* https://developer.mozilla.org/en-
US/docs/Web/API/NavigatorLanguage.languages and
https://developer.mozilla.org/en-US/docs/Web/Events/languagechange.
* Tracking:
* https://developer.mozilla.org/en-US/docs/Web/API/Data_Store_API off
by default, but we'll want to keep an eye on this
I will be editing this comment as I dig into all of these items in more
detail.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16090#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list