[tor-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 8 16:00:39 UTC 2017 

#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201703, GeorgKoppen201703        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:11 mcs]:
 > Here are some things Kathy and I found while reviewing Firefox 48
 changes (we will need to file separate tickets for some of these, but as a
 first pass I am posting our notes in this ticket):
 >
 > a) We should probably make sure screen sharing is disabled. Maybe this
 is covered by our removal of WebRTC, but we could also set these pref
 values to be sure:
 >  media.getusermedia.screensharing.enabled = false
 >  media.getusermedia.screensharing.allowed_domains = ""

 That seems to be nothing new or did something related to those prefs
 change between ESR 45 and ESR 52?

 > b) Some safe browsing prefs have been renamed and other functionality
 has been added. We should disable all of it via the following pref values:
 >  browser.safebrowsing.downloads.enabled = false
 >  browser.safebrowsing.downloads.remote.enabled = false
 >  browser.safebrowsing.malware.enabled = false
 >  browser.safebrowsing.phishing.enabled = false
 >  browser.safebrowsing.blockedURIs.enabled = false

 This is #21683.

 > c) We should return a constant value for
 window.navigator.hardwareConcurrency.
 >  https://developer.mozilla.org/en-
 US/docs/Web/API/NavigatorConcurrentHardware/hardwareConcurrency

 This is #21675. Note the related one, #18559.

 > d) From a fingerprinting perspective, the following bug is a little
 scary (consult Firefox prefs from CSS) but use seems to be limited to
 internal style sheets:
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1259889

 Yes. Looking over it it seems to be okay having even a test showing this
 is a non-issue for non-priv contexts.

 > e) Mozilla sites can check whether an add-on is installed and retrieve
 some metadata. Do we want to disable this?
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1245571

 Yes. This is bug #21684.

 > f) APIs to allow access to some internal Firefox services from remote
 New Tab pages (hosted on mozilla.org servers) have been added. We should
 figure out how to disable them.
 >  PreviewProvider Messaging API
 >   https://bugzilla.mozilla.org/show_bug.cgi?id=1239119
 >  NewTabPrefsProvider Messaging API
 >   https://bugzilla.mozilla.org/show_bug.cgi?id=1239118
 >  PlacesProvider Messaging API
 >   https://bugzilla.mozilla.org/show_bug.cgi?id=1239116

 This is #21685.

 > g) We may want to skip importing a certificate on Windows to support
 Microsoft Family Safety by setting:
 >  security.family_safety.mode = 0
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1239166

 Yes, in #21686.

 > h) We may want to document for our Linux users that add-ons installed in
 the following directory do not have to be signed by Mozilla:
 >   /usr/{lib,share}/mozilla/extensions

 Maybe, although I still think we should not propagate things that deviate
 from the Tor Browser as we ship it.

 > i) If we enable e10s/multiprocess mode, we should document for our users
 that it will be disabled if accessibility tools are used.
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1260190

 There are a bunch more conditions where this holds. I made a note in
 #21432.

 Other items I have

 j) prefetch in the network predictor is implemented
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1016628). I opened #21687.

 k) There is a search service update feature available we ignored up to now
 (I stumbled over it while readin
 https://bugzilla.mozilla.org/show_bug.cgi?id=1259510). We should
 investigate whether that is an issue for us. This is done in #21688.

 l) `Element.animate()` got shipped
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1245000) that part of the
 Animations API seems to be available right now. I moved #16337 for that
 back onto our ESR 52 radar.

 m) Fetch RequestCache got implemented
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1120715). Not sure if that
 is a thing we should care about. But if so, it has to respect our design
 guidelines. This is #21689.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:21>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list