[tor-bugs] #27627 [Applications/Tor Browser]: Prevent sending screen size to server via CSS when JavaScript is disabled
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 11 00:18:09 UTC 2018
#27627: Prevent sending screen size to server via CSS when JavaScript is disabled
------------------------------------------+----------------------
Reporter: Keritano | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html
demonstrates that you can include a picture via CSS in dependence of the
screen size, thus communicating it to the server. To make it possible to
resize the window without danger of fingerprinting when JavaScript is
disabled, the Tor Browser should do one of this things when the security
slider is on "safest" (or "safer" for non-HTTPS pages):
-Pretend that the screen has the standard resolution.
-Don't load any media that is dependent on the screen size.
-Preload all media that is dependent on the screen size. (This doesn't
seem to be done right now, since the wait time for resizing is the same as
for loading the page, and the site does not load very much slower than in
the regular browser.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27627>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list