[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #22074 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF52esr



#22074: Review Firefox Developer Docs and Undocumented bugs since FF52esr
--------------------------------------------+--------------------------
 Reporter:  gk                              |          Owner:  tbb-team
     Type:  task                            |         Status:  new
 Priority:  Very High                       |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  ff60-esr, TorBrowserTeam201806  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+--------------------------

Comment (by mcs):

 Here are the items that Kathy and I found so far that we do not think are
 covered by other open tickets:

 https://bugzilla.mozilla.org/show_bug.cgi?id=1344669.
 Support for the `dom.enable_user_timing` pref, which we set to `false`,
 has been removed. We may need to restore support for this pref.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1251161
 https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Masking
 Support for CSS masks was added and may represent a fingerprinting risk
 (e.g., if behavior is different for different platforms or GPUs).

 https://bugzilla.mozilla.org/show_bug.cgi?id=1287983
 https://bugzilla.mozilla.org/show_bug.cgi?id=1264125
 https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Transitions
 Support for CSS Transition events was added (transitionstart,
 transitionrun, and transitioncancel). This may pose risks similar to CSS
 animations; see #18273.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1250077
 https://developer.mozilla.org/en-
 US/docs/Web/API/WEBGL_compressed_texture_astc
 https://bugzilla.mozilla.org/show_bug.cgi?id=1325113
 https://developer.mozilla.org/en-
 US/docs/Web/API/WEBGL_compressed_texture_s3tc_srgb
 Support for these WebGL extensions was added. We should verify that both
 are disabled by our setting `webgl.disable-extensions` to `false`.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1239100
 https://developer.mozilla.org/en-US/docs/Web/API/SVGGeometryElement
 The SVGGeometryElement interface has been partially implemented. We should
 verify that it does not add a fingerprinting risk due to methods such as
 SVGGeometryElement.getPointAtLength() which locates a point part way along
 an arbitrary path.

 https://developer.mozilla.org/en-US/docs/Web/CSS/clip-path
 https://bugzilla.mozilla.org/show_bug.cgi?id=1247229
 Support for CSS clip-path on shapes was added. We should verify that this
 does not have any associated fingerprinting risks. There was a pref to
 disable this feature, but support for the pref was removed during the
 ESR60 development cycle.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1340655
 As we know, support for HTTP 1.x pipelining was removed. We should remove
 the related prefs from browser/app/profile/000-tor-browser.js

 https://bugzilla.mozilla.org/show_bug.cgi?id=1399036
 The date and time <input> types are now enabled. We should verify that
 this does not leak the user's locale, e.g., if the input field dimensions
 are different in different locales. There is a `dom.forms.datetime` pref
 that may be used to remove support for these <input> types.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1314959
 https://developer.mozilla.org/en-US/docs/Web/API/Background_Tasks_API
 window.requestIdleCallback() is now available. We should determine whether
 it may be used to learn too much about the performance of the user's
 computer/device, or if there are other timing leaks we want to avoid. This
 can be disabled by setting `dom.requestIdleCallback.enabled` to `false`.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1321865
 https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
 Support the Intersection Observer API was added. It "provides a way to
 asynchronously observe changes in the intersection of a target element
 with an ancestor element or with a top-level document's viewport." and may
 add linkability or fingerprinting risks.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1151421
 The window.pageYOffset/pageXOffset/scrollX/scrollY properties now return
 data withe subpixel accuracy. We think this means "half pixels on a macOS
 Retina or other high resolution display." Does this pose any
 fingerprinting risks? We may already round these when
 `privacy.resistFingerprinting` is `true`.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1364297
 A name property was added to Worker() and SharedWorker(). We don't think
 this adds any new linkability risks though since workers can already
 communicate via messages.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1222633
 https://developer.mozilla.org/en-US/docs/Web/HTML/Preloading_content
 Support for <link rel="preload"> was added in Firefox 56 but it was
 disabled in Firefox 57 "because of various web compatibility issues." We
 should verify that this is still disabled or ensure that it is subject to
 first-party isolation.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1379938
 Support was added for some new system color values (`-moz-win-accentcolor`
 and `-moz-win-accentcolortext`) as well as a `-moz-windows-accent-color-
 in-titlebar` media query. It looks like the colors are correctly spoofed
 when `ui.use_standins_for_native_colors` = `true` but the media query may
 add a fingerprinting risk.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1386974
 Hardware-based encoding for media is now enabled by default on Android. We
 are not sure if this is a problem or not.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1403318
 https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/PluralRules
 https://bugzilla.mozilla.org/show_bug.cgi?id=1403319
 https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/NumberFormat/formatToParts
 https://bugzilla.mozilla.org/show_bug.cgi?id=1386146
 https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat
 Various international APIs and enhancements to existing APIs were added.
 We should review them to make sure locale info, etc. is not leaked when
 `privacy.resistFingerprinting` is `true`.

 https://bugzilla.mozilla.org/show_bug.cgi?id=1393691
 Firefox now implements a TLS handshake timeout with a default value of 30
 seconds. Previously, it was a lot longer (maybe the same as the system TCP
 connect timeout, which is typically on the order of 10 minutes). We should
 decide whether we need a longer timeout for Tor-based browsing, e.g., 2 or
 3 minutes.

 https://bugzilla.mozilla.org/show_bug.cgi?id=577084
 As of Firefox 59, Apple's HTTPS Live Streaming (HLS) protocol is supported
 on Android for both audio and video. We should audit this or at least look
 at how it is implemented. Mozilla says: "There is not currently any plan
 to implement it on Firefox Desktop."

 https://bugzilla.mozilla.org/show_bug.cgi?id=1432542
 The Web Authentication API has been enabled. We should audit it or at
 least understand it better, or we should disable it by setting
 `security.webauth.webauthn` = `false`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22074#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs