[tor-bugs] #22074 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF52esr
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 8 20:14:48 UTC 2018
#22074: Review Firefox Developer Docs and Undocumented bugs since FF52esr
--------------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Very High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff60-esr, TorBrowserTeam201806 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------------+--------------------------
Comment (by mcs):
Here are the items that Kathy and I found so far that we do not think are
covered by other open tickets:
https://bugzilla.mozilla.org/show_bug.cgi?id=1344669.
Support for the `dom.enable_user_timing` pref, which we set to `false`,
has been removed. We may need to restore support for this pref.
https://bugzilla.mozilla.org/show_bug.cgi?id=1251161
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Masking
Support for CSS masks was added and may represent a fingerprinting risk
(e.g., if behavior is different for different platforms or GPUs).
https://bugzilla.mozilla.org/show_bug.cgi?id=1287983
https://bugzilla.mozilla.org/show_bug.cgi?id=1264125
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Transitions
Support for CSS Transition events was added (transitionstart,
transitionrun, and transitioncancel). This may pose risks similar to CSS
animations; see #18273.
https://bugzilla.mozilla.org/show_bug.cgi?id=1250077
https://developer.mozilla.org/en-
US/docs/Web/API/WEBGL_compressed_texture_astc
https://bugzilla.mozilla.org/show_bug.cgi?id=1325113
https://developer.mozilla.org/en-
US/docs/Web/API/WEBGL_compressed_texture_s3tc_srgb
Support for these WebGL extensions was added. We should verify that both
are disabled by our setting `webgl.disable-extensions` to `false`.
https://bugzilla.mozilla.org/show_bug.cgi?id=1239100
https://developer.mozilla.org/en-US/docs/Web/API/SVGGeometryElement
The SVGGeometryElement interface has been partially implemented. We should
verify that it does not add a fingerprinting risk due to methods such as
SVGGeometryElement.getPointAtLength() which locates a point part way along
an arbitrary path.
https://developer.mozilla.org/en-US/docs/Web/CSS/clip-path
https://bugzilla.mozilla.org/show_bug.cgi?id=1247229
Support for CSS clip-path on shapes was added. We should verify that this
does not have any associated fingerprinting risks. There was a pref to
disable this feature, but support for the pref was removed during the
ESR60 development cycle.
https://bugzilla.mozilla.org/show_bug.cgi?id=1340655
As we know, support for HTTP 1.x pipelining was removed. We should remove
the related prefs from browser/app/profile/000-tor-browser.js
https://bugzilla.mozilla.org/show_bug.cgi?id=1399036
The date and time <input> types are now enabled. We should verify that
this does not leak the user's locale, e.g., if the input field dimensions
are different in different locales. There is a `dom.forms.datetime` pref
that may be used to remove support for these <input> types.
https://bugzilla.mozilla.org/show_bug.cgi?id=1314959
https://developer.mozilla.org/en-US/docs/Web/API/Background_Tasks_API
window.requestIdleCallback() is now available. We should determine whether
it may be used to learn too much about the performance of the user's
computer/device, or if there are other timing leaks we want to avoid. This
can be disabled by setting `dom.requestIdleCallback.enabled` to `false`.
https://bugzilla.mozilla.org/show_bug.cgi?id=1321865
https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
Support the Intersection Observer API was added. It "provides a way to
asynchronously observe changes in the intersection of a target element
with an ancestor element or with a top-level document's viewport." and may
add linkability or fingerprinting risks.
https://bugzilla.mozilla.org/show_bug.cgi?id=1151421
The window.pageYOffset/pageXOffset/scrollX/scrollY properties now return
data withe subpixel accuracy. We think this means "half pixels on a macOS
Retina or other high resolution display." Does this pose any
fingerprinting risks? We may already round these when
`privacy.resistFingerprinting` is `true`.
https://bugzilla.mozilla.org/show_bug.cgi?id=1364297
A name property was added to Worker() and SharedWorker(). We don't think
this adds any new linkability risks though since workers can already
communicate via messages.
https://bugzilla.mozilla.org/show_bug.cgi?id=1222633
https://developer.mozilla.org/en-US/docs/Web/HTML/Preloading_content
Support for <link rel="preload"> was added in Firefox 56 but it was
disabled in Firefox 57 "because of various web compatibility issues." We
should verify that this is still disabled or ensure that it is subject to
first-party isolation.
https://bugzilla.mozilla.org/show_bug.cgi?id=1379938
Support was added for some new system color values (`-moz-win-accentcolor`
and `-moz-win-accentcolortext`) as well as a `-moz-windows-accent-color-
in-titlebar` media query. It looks like the colors are correctly spoofed
when `ui.use_standins_for_native_colors` = `true` but the media query may
add a fingerprinting risk.
https://bugzilla.mozilla.org/show_bug.cgi?id=1386974
Hardware-based encoding for media is now enabled by default on Android. We
are not sure if this is a problem or not.
https://bugzilla.mozilla.org/show_bug.cgi?id=1403318
https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/PluralRules
https://bugzilla.mozilla.org/show_bug.cgi?id=1403319
https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/NumberFormat/formatToParts
https://bugzilla.mozilla.org/show_bug.cgi?id=1386146
https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat
Various international APIs and enhancements to existing APIs were added.
We should review them to make sure locale info, etc. is not leaked when
`privacy.resistFingerprinting` is `true`.
https://bugzilla.mozilla.org/show_bug.cgi?id=1393691
Firefox now implements a TLS handshake timeout with a default value of 30
seconds. Previously, it was a lot longer (maybe the same as the system TCP
connect timeout, which is typically on the order of 10 minutes). We should
decide whether we need a longer timeout for Tor-based browsing, e.g., 2 or
3 minutes.
https://bugzilla.mozilla.org/show_bug.cgi?id=577084
As of Firefox 59, Apple's HTTPS Live Streaming (HLS) protocol is supported
on Android for both audio and video. We should audit this or at least look
at how it is implemented. Mozilla says: "There is not currently any plan
to implement it on Firefox Desktop."
https://bugzilla.mozilla.org/show_bug.cgi?id=1432542
The Web Authentication API has been enabled. We should audit it or at
least understand it better, or we should disable it by setting
`security.webauth.webauthn` = `false`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22074#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list