[tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 24 01:49:29 UTC 2020


#33534: Review FF release notes from FF69 to latest (FF73)
--------------------------------------+--------------------------------
 Reporter:  pospeselr                 |          Owner:  pospeselr
     Type:  defect                    |         Status:  assigned
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:  12
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:  Sponsor58-must
--------------------------------------+--------------------------------
Changes (by pospeselr):

 * actualpoints:   => 12


Comment:

 {{{
 Release notes:

 69:
     Enhanced Tracking Protection
         - I believe we want to turn this off
     Web Authentication HmacSecret extension via Windows Hello (for Windows
 10 versions > May 2019)
         - suspect this feature violates our disk avoidance requirements
     32-bit Firefox on 64-bit OS users no-longer differentiable from 64-bit
 Firefox on 64-bit OS
         - navgator.userAgent, navigator.platform, navigator.oscpu props
         - https://bugzilla.mozilla.org/show_bug.cgi?id=1559747
     userChrome.css and userContent.css no longer enabled by default
         - sure users will probably complain about this but seems like a
 good thing
         - toolkit.legacyUserProfileCustomizations.stylesheets -> true to
 re-enable

     69.0.1:
     69.0.2:
     69.0.3:
         Seems like Firefox hooks into Windows Parental Controls (though
 they are removed in newer versions of Windows 10?)
             - I would think our build should stup out parental controls
 and logging if we don't do this already
             - https://bugzilla.mozilla.org/show_bug.cgi?id=1584613
             - also has implementation for android and macos
 70:
     Firefox Lockwise (about:logins)
         - violates disk avoidance
     'Gift' icon in toolbar that spams users with feature updates/news
     70.0.1:
 71:
    Picture-in-Picture video
         - this feature is pretty awesome, but we should make sure it
 doesn't expose fingerprinting surface
         - can be toggled off with media.videocontrols.picture-in-
 picture.enabled
 72:
     72.0.1:
     72.0.2:
 73:
     Enhancement to Windows' High Contrast Mode, web renderer now adds
 'readability backplate' of solid color between background and text
         - possible finger-printing vector?
     73.0.1:
 74:


 Developer release notes

 69:
     Lithuanian specific case rules (also exists for greek, dutch, others),
 locale fingerprinting
         - https://bugzilla.mozilla.org/show_bug.cgi?id=1322992
     add-on api topsites.get() certainly seems sketchy af:
 https://developer.mozilla.org/en-US/docs/Mozilla/Add-
 ons/WebExtensions/API/topSites/get
         - updated to add includePinned and includeSearchShortcuts options
 70:

 71:

 72:

 73:

 74:
     TextMetrics interface updated, canvas fingerprinting?
         - https://bugzilla.mozilla.org/show_bug.cgi?id=1102584
 75:

 Noteworthy Tickets:

 69:
     1584613 - Parental control detection doesn't work on Windows 10
         - make sure parental access checks are always disabled
     1559747 - User-Agent string needn't reveal a user is running 32-bit
 Firefox on a 64-bit OS
         - make sure this is also true for Tor Browser if it isn't already
     1561307 - Add pref to enable/disable the What's New Panel feature
         - make sure this panel is disabled
 70:
     1570732 - Disable DoH if parental controls detected
         - followup on 1584613 to ensure we don't have parental controls in
 Tor Browser
     1561273 - network ID: ipv4NetworkId/scanArp returns gateway IP instead
 of its MAC
         - certainly seems like we shouldn't have runnable code that can
 read the user's IP or MAC
     1563319 - Enable the What's New UI when pref is enabled
         - make sure this is disabled
     1572389 - Add pref to show normal lock icon for sites with EV
 (Extended Validation) certificates
         - so looks like we can bring back full EV names if we so wish
     1576246 - Set pref browser.urlbar.eventTelemetry.enabled by default
         - make sure this is disabled
     1567826 - Don't mark localhost as insecure
         - this should be fine but the patch does touch the url icon logic
     1572936 - Move EV cert UI out of URL Bar
         - security.identityblock.show_extended_validation pref for showing
 EV in url bar, we may want to enable this for onionsites?
 71:
     1539212 - implement readability backplate for high contrast mode
         - probably fingerprinting vector for folks with high contrast mode
 enabled as it adds a new rendering layer
     1585920 - network ID: fix VPN detection on Linux for non ethernet
 devices
         - seems like we would never want to calculate a fingerprintable
 'Network ID' in tor-browser, though I'm not sure what this is or what it
 does ( about:networking#networkid )
     1565004 - TRR: Check for VPN on Windows to use platform DNS
         - make sure there's no leakage here
 72:
 73:
     1604761 - Firefox doesn't apply gnome "Large Text" accessibility
 setting to web content
         - we probably don't want this fix if it can be used for
 fingerprinting?
     1602194 - Use a site's icon as the window icon on Windows
         - We probably don't want to do this, esp if we do the work to hide
 the tab title from the window manager
     1604932 - Implement a Top Sites provider
         - seems like it offers site suggestions or tracks your browsing or
 something
     1602187 - Cache site icons for use when the site is not loaded.
         - we need to make sure we're not doing this/that this does not
 occur for in private tabs
 74:

 75:
     1532486 - Ensure media cache is memory-only when in Private Browsing
 Mode
         - we need to enable browser.privatebrowsing.forceMediaMemoryCache
 pref
     1614769 - Cache shaders to disk even if they are compiled after the
 10th frame
         - make sure these don't get cached when in private browsing mode
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33534#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list