[tor-bugs] #10286 [Applications/Tor Browser]: Touch events leak absolute screen coordinates

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 25 21:57:53 UTC 2017 

#10286: Touch events leak absolute screen coordinates
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:
                                                 |  arthuredelstein
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-fingerprinting-resolution,       |  Actual Points:
  ff52-esr, tbb-testcase, tbb-firefox-patch,     |
  TorBrowserTeam201704R, tbb-7.0-must-alpha      |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):

 * status:  needs_information => needs_review


Comment:

 Replying to [comment:23 gk]:
 > Replying to [comment:22 arthuredelstein]:
 > > Here's a branch for review. There are two patches:
 > > https://github.com/arthuredelstein/tor-browser/commits/10286
 >
 > Could you give some motivation for this patch in light of comment:18 you
 raised? So, it is fine for you now to leave it in "autodetect" mode? What
 made you change your mind and why should we not set it to "0" for now,
 avoiding partitioning along touch API available/not available?

 Sorry about that -- this was an oversight. I had meant to set the pref to
 "1" to prevent autodetection without having to disable the Touch API
 altogether. My thinking is that:
 * In the case of a tablet or phone, the platform (Android) is already
 detectable.
 * In the case of a laptop with a touch screen or a similar, only if the
 user decides to use the device is the presence of the hardware detectable.
 Otherwise no TouchEvents occur. So it's perhaps not a very reliable
 distinguisher.

 So here's the new version including a patch for the pref:
 https://github.com/arthuredelstein/tor-browser/commits/10286+1

 If we decide we want to disable the Touch API completely instead, then of
 course the spoofing and test patches are potentially redundant for Tor
 Browser.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10286#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list