[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-128.2.0esr-14.0-1] 3 commits: fixup! Bug 42472: Spoof timezone in XSLT.
morgan (@morgan)
git at gitlab.torproject.org
Tue Aug 27 20:52:19 UTC 2024
morgan pushed to branch tor-browser-128.2.0esr-14.0-1 at The Tor Project / Applications / Tor Browser
Commits:
600fa3e4 by Pier Angelo Vendrame at 2024-08-27T09:53:22+02:00
fixup! Bug 42472: Spoof timezone in XSLT.
Revert "Bug 42472: Spoof timezone in XSLT."
This reverts commit 7bdf1f4f6cd90346da288435564ca67d1b0e58e5.
- - - - -
fb25351a by Fatih at 2024-08-27T09:53:53+02:00
Bug 1891690: Return GMT when RFPTarget::JSDateTimeUTC is enabled. r=timhuang
Differential Revision: https://phabricator.services.mozilla.com/D216411
- - - - -
365873be by Fatih at 2024-08-27T09:54:19+02:00
Bug 1912129: Reduce time precision for EXSLT date time function. r=timhuang
Differential Revision: https://phabricator.services.mozilla.com/D218783
- - - - -
4 changed files:
- browser/components/resistfingerprinting/test/browser/browser.toml
- + browser/components/resistfingerprinting/test/browser/browser_exslt_time_precision.js
- + browser/components/resistfingerprinting/test/browser/browser_exslt_timezone_load.js
- dom/xslt/xslt/txEXSLTFunctions.cpp
Changes:
=====================================
browser/components/resistfingerprinting/test/browser/browser.toml
=====================================
@@ -196,3 +196,7 @@ lineno = "172"
["browser_timezone.js"]
lineno = "176"
+
+["browser_exslt_timezone_load.js"]
+
+["browser_exslt_time_precision.js"]
=====================================
browser/components/resistfingerprinting/test/browser/browser_exslt_time_precision.js
=====================================
@@ -0,0 +1,71 @@
+/**
+ * Bug 1912129 - A test case for verifying EXSLT date will report second-precise
+ * time fingerprinting resistance is enabled.
+ */
+
+function getTime(tab) {
+ const extractTime = function () {
+ const xslText = `
+ <xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:date="http://exslt.org/dates-and-times"
+ extension-element-prefixes="date">
+ <xsl:output method="text" />
+ <xsl:template match="/">
+ <xsl:value-of select="date:date-time()" />
+ </xsl:template>
+ </xsl:stylesheet>`;
+
+ const parser = new DOMParser();
+ const xsltProcessor = new XSLTProcessor();
+ const xslStylesheet = parser.parseFromString(xslText, "application/xml");
+ xsltProcessor.importStylesheet(xslStylesheet);
+ const xmlDoc = parser.parseFromString("<test />", "application/xml");
+ const styledDoc = xsltProcessor.transformToDocument(xmlDoc);
+ const time = styledDoc.firstChild.textContent;
+
+ return time;
+ };
+
+ const extractTimeExpr = `(${extractTime.toString()})();`;
+
+ return SpecialPowers.spawn(
+ tab.linkedBrowser,
+ [extractTimeExpr],
+ async funccode => content.eval(funccode)
+ );
+}
+
+add_task(async function test_new_window() {
+ await SpecialPowers.pushPrefEnv({
+ set: [
+ ["privacy.fingerprintingProtection", true],
+ ["privacy.fingerprintingProtection.overrides", "+ReduceTimerPrecision"],
+ ],
+ });
+
+ // Open a tab for extracting the time from XSLT.
+ const tab = await BrowserTestUtils.openNewForegroundTab({
+ gBrowser,
+ opening: TEST_PATH + "file_dummy.html",
+ forceNewProcess: true,
+ });
+
+ for (let i = 0; i < 10; i++) {
+ // eslint-disable-next-line mozilla/no-arbitrary-setTimeout
+ await new Promise(res => setTimeout(res, 25));
+
+ // The regex could be a lot shorter (e.g. /\.(\d{3})/) but I wrote the whole
+ // thing to make sure the time is in the expected format and to allow us
+ // to re-use this regex in the future if we need to.
+ // Note: Date format is not locale dependent.
+ const regex = /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.(\d{3})[-+]\d{2}:\d{2}/;
+ const time = await getTime(tab);
+ const [, milliseconds] = time.match(regex);
+
+ is(milliseconds, "000", "Date's precision was reduced to seconds.");
+ }
+
+ BrowserTestUtils.removeTab(tab);
+ await SpecialPowers.popPrefEnv();
+});
=====================================
browser/components/resistfingerprinting/test/browser/browser_exslt_timezone_load.js
=====================================
@@ -0,0 +1,62 @@
+/**
+ * Bug 1891690 - A test case for verifying EXSLT date will use Atlantic/Reykjavik
+ * timezone (GMT and "real" equivalent to UTC) after fingerprinting
+ * resistance is enabled.
+ */
+
+function getTimeZone(tab) {
+ const extractTime = function () {
+ const xslText = `
+ <xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:date="http://exslt.org/dates-and-times"
+ extension-element-prefixes="date">
+ <xsl:output method="text" />
+ <xsl:template match="/">
+ <xsl:value-of select="date:date-time()" />
+ </xsl:template>
+ </xsl:stylesheet>`;
+
+ const parser = new DOMParser();
+ const xsltProcessor = new XSLTProcessor();
+ const xslStylesheet = parser.parseFromString(xslText, "application/xml");
+ xsltProcessor.importStylesheet(xslStylesheet);
+ const xmlDoc = parser.parseFromString("<test />", "application/xml");
+ const styledDoc = xsltProcessor.transformToDocument(xmlDoc);
+ const time = styledDoc.firstChild.textContent;
+
+ return time;
+ };
+
+ const extractTimeExpr = `(${extractTime.toString()})();`;
+
+ return SpecialPowers.spawn(
+ tab.linkedBrowser,
+ [extractTimeExpr],
+ async funccode => content.eval(funccode)
+ );
+}
+
+add_task(async function test_new_window() {
+ await SpecialPowers.pushPrefEnv({
+ set: [
+ ["privacy.fingerprintingProtection", true],
+ ["privacy.fingerprintingProtection.overrides", "+JSDateTimeUTC"],
+ ],
+ });
+
+ // Open a tab for extracting the time zone from XSLT.
+ const tab = await BrowserTestUtils.openNewForegroundTab({
+ gBrowser,
+ opening: TEST_PATH + "file_dummy.html",
+ forceNewProcess: true,
+ });
+
+ SpecialPowers.Cu.getJSTestingFunctions().setTimeZone("America/Toronto");
+ const timeZone = await getTimeZone(tab);
+
+ ok(timeZone.endsWith("+00:00"), "Timezone was spoofed.");
+
+ BrowserTestUtils.removeTab(tab);
+ await SpecialPowers.popPrefEnv();
+});
=====================================
dom/xslt/xslt/txEXSLTFunctions.cpp
=====================================
@@ -590,14 +590,22 @@ nsresult txEXSLTFunctionCall::evaluate(txIEvalContext* aContext,
// http://exslt.org/date/functions/date-time/
PRExplodedTime prtime;
- PR_ExplodeTime(PR_Now(),
- nsContentUtils::ShouldResistFingerprinting(
- "We are not allowed to access the document at this "
- "stage (we are given a txEarlyEvalContext context).",
- RFPTarget::JSDateTimeUTC)
- ? PR_GMTParameters
- : PR_LocalTimeParameters,
- &prtime);
+ Document* sourceDoc = getSourceDocument(aContext);
+ NS_ENSURE_STATE(sourceDoc);
+
+ PRTimeParamFn timezone =
+ sourceDoc->ShouldResistFingerprinting(RFPTarget::JSDateTimeUTC)
+ ? PR_GMTParameters
+ : PR_LocalTimeParameters;
+
+ PRTime time =
+ sourceDoc->ShouldResistFingerprinting(RFPTarget::ReduceTimerPrecision)
+ ? (PRTime)nsRFPService::ReduceTimePrecisionAsSecs(
+ (double)PR_Now() / PR_USEC_PER_SEC, 0,
+ RTPCallerType::ResistFingerprinting) *
+ PR_USEC_PER_SEC
+ : PR_Now();
+ PR_ExplodeTime(time, timezone, &prtime);
int32_t offset =
(prtime.tm_params.tp_gmt_offset + prtime.tm_params.tp_dst_offset) /
@@ -641,7 +649,7 @@ Expr::ResultType txEXSLTFunctionCall::getReturnType() {
bool txEXSLTFunctionCall::isSensitiveTo(ContextSensitivity aContext) {
if (mType == txEXSLTType::NODE_SET || mType == txEXSLTType::SPLIT ||
- mType == txEXSLTType::TOKENIZE) {
+ mType == txEXSLTType::TOKENIZE || mType == txEXSLTType::DATE_TIME) {
return (aContext & PRIVATE_CONTEXT) || argsSensitiveTo(aContext);
}
return argsSensitiveTo(aContext);
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/62536693eca89ae1f75d8e5c96dbf198debd94a0...365873bec512b30095e303a3d27b97369445295f
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/62536693eca89ae1f75d8e5c96dbf198debd94a0...365873bec512b30095e303a3d27b97369445295f
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20240827/c1f87641/attachment-0001.htm>
More information about the tor-commits
mailing list