[tor-bugs] #18545 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF38esr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 3 19:20:08 UTC 2016
#18545: Review Firefox Developer Docs and Undocumented bugs since FF38esr
--------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: ff45-esr, TorBrowserTeam201605 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor: SponsorU
--------------------------------------------+--------------------------
Comment (by mcs):
Replying to [comment:21 gk]:
> Replying to [comment:20 brade]:
> > Kathy and I reviewed all of the release notes and developer docs for
Firefox 39-45. We have not yet looked at the complete bug lists
(comment:17).
>
> That's fine. I am halfway through and think having just one doing that
is okay.
>
> > Here are some things that might be worth another look (some of these
may have been looked at in more detail by gk already):
>
> Thanks for looking at it!
>
> > CacheStorage. It seems that this can be used by Web Workers and
regular JS code (not just by Service Workers).
> > https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage
>
> Do you have a bug indicating that? CacheStorage is part of the Service
Workers spec and that whole MDN page indicates that, too.
The API page includes "It provides a master directory of all the named
caches that a ServiceWorker, other type of worker or window scope can
access (you don't have to use it with service workers, even though that is
the spec that defines it) and maintains a mapping of string names to
corresponding Cache objects." Also, some of the top-level objects are
present in regular DOM windows. See:
https://lists.torproject.org/pipermail/tbb-dev/2016-May/000372.html
> > Server logging. This is kind of a strange feature: server applications
can return an X- HTTP header to cause items to be logged to the developer
console. Maybe it is only done when the console is open and the user is
monitoring network requests (I am not sure). Kathy and I do not like the
idea that this is enabled, but it may be harmless.
> > https://developer.mozilla.org/en-
US/docs/Tools/Web_Console/Console_messages#Server
>
> Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So
what if we put that feature behind a pref? Disabling it by default in Tor
Browser?
Kathy and I think adding a pref is a good idea, although we leave the
decision to you (we cannot prove that this will cause any security or
privacy issues).
> > window.screen.orientation. This is possibly a fingerprinting vector
unless it always returns "landscape-primary" on desktop Firefox (it may
still be an issue for Orfox). Or did we decide that applications can
derive this kind of info from the window size/aspect ratio anyway?
> > https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation
>
> #13025 did not solve this?
It looks like the new code does not go through the function that was
patched by the #13025 fix. I opened #18958 for this issue.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18545#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list