[tor-commits] [tor-browser-spec/master] Add the FF52 pref audit, finally
gk at torproject.org
gk at torproject.org
Thu Jul 11 06:14:22 UTC 2019
commit f8c5fc38a4a020551fb90372b6ed01dc9d4de43b
Author: Georg Koppen <gk at torproject.org>
Date: Thu Jul 11 06:13:37 2019 +0000
Add the FF52 pref audit, finally
---
audits/FF52_audit | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
diff --git a/audits/FF52_audit b/audits/FF52_audit
new file mode 100644
index 0000000..9b52a62
--- /dev/null
+++ b/audits/FF52_audit
@@ -0,0 +1,33 @@
+dom.vr.openvr.enabled and gfx.vr.openvr-enabled for Web Virtual Reality features. (More: https://mozvr.com/ https://iswebvrready.org/) These features are only in Nightly right now fortunetly.
+
+media.webspeech.recognition.enabled - currently disabled I think. Required mic permission but seems like something that should be disabled at Medium or High on the slider
+
+media.recorder.audio_node.enabled - similar but *enabled* by default
+
+media.webspeech.synth.enabled - seemingly a second speech synthesis API, seems to be enabled by default but might be good to disable at High slider
+
+gfx.content.azure.backends is a list of libraries that can/will be used for graphics rendering under certain conditions. It seems like it might be something we'd want to alter at different security slider levels
+
+security.enterprise_roots.enabled - this pref is off by default (and no plans to enable it) but it automatically imports roots from the windows cert store
+
+gfx.font_rendering.graphite.enabled - a complex rendering library that was actually disabled in FF for some time due to security concerns. Probably should be disabled at Medium/High slider level
+
+webgl.disable-angle - disables the ANGLE library that is used by WebGL on Windows
+
+beacon.enabled - seems to be an analytics-type feature https://w3c.github.io/beacon/
+
+There's an orientation API that I believe is disabled by device.sensors but this seems worth confirming/making a test case... https://www.w3.org/TR/orientation-event/
+
+(Too many to list, go to about:config and search for media.*.enabled) - Some of these disable media libraries, other disable media features
+
+pointer-lock-api.prefixed.enabled - a feature that provides raw mouse input, appears to be disabled by default
+
+The ScreenOrientation API may not have a pref... https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation
+
+There is support for SVG favicons, I'm unsure if our disabling SVG disables these also...
+
+dom.vibrator.enabled - The Vibration API seems like something that might enable fingerprinting...
+
+dom.animations-api.core.enabled - Web Animations API, currently disabled in release https://birtles.github.io/areweanimatedyet/ Worth disabling at Medium Slider level for sure!
+
+gfx.downloadable_fonts.woff2.enabled - disable WOFF2 fonts, definetly worth at High or even Medium slider level
More information about the tor-commits
mailing list