[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr



#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
--------------------------------------------+--------------------------
 Reporter:  gk                              |          Owner:  tbb-team
     Type:  task                            |         Status:  new
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201702  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:  Sponsor4
--------------------------------------------+--------------------------

Comment (by gk):

 Replying to [comment:9 mcs]:
 > Kathy and I reviewed the Firefox 46 and 47 changes (by looking at the
 "Firefox ## for Developers" web pages, the target_milestone=mozilla##
 bugs, and the target_milestone=Firefox%20## bugs). Before we move on to
 48-52, we wanted to note here what we found so far:
 >
 > a) `DateTimeFormat.formatToParts`. We should verify that timezone and/or
 locale not leaked to web content by new API.
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1289340
 > https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat/formatToParts

 That's in mozill52, right? But, yes, we should double-check that. I opened
 #21608.

 > b) Some changes were made to device orientation events. We should ensure
 that orientation is not leaked to web content.
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1205649

 #21609.

 > c) The Permissions API is now enabled. Kathy and I think we should turn
 it off to prevent fingerprinting based on choices that users make.
 Unfortunately, the `dom.permissions.enabled` pref was removed.
 > https://lists.mozilla.org/pipermail/dev-platform/2015-August/011466.html
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1233702

 #21569.

 > d) TouchEvents are now enabled on Windows and Linux. I already poked
 #10286.
 >
 > e) window.showModalDialog() is not available when e10s is enabled.
 Should we always make it unavailable (even when e10s is disabled)? Or
 maybe we don't care because we will probably enable e10s for all Tor
 Browser users or none.
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1234700

 I think we should not care. Besides that it seems that non of our code is
 using `showModalDialog()` anyway.

 > f) Looking through the bug lists reminded us about Web Animations
 possibly providing a high resolution timing source. But we do have #18273
 for that issue.

 I guess you mean #16337?

 > g) Similarly, we were reminded about WebAudio. See #13017.
 >
 > h) We will need to set `network.dns.blockDotOnion = false`.

 Hm. You mean for the transparent proxying option?

 > i) Should we disable about:profiles? Some of the functionality will
 confused our users, e.g., "Create New Profile" which may not work
 correctly on Linux and Windows and "Restart with Add-ons Disabled."
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1235402

 Yes. I opened #21610.

 > j) A DNS lookup feature was added to about:networking DNS. We should
 verify that it respects the browser proxy settings.
 > https://bugzilla.mozilla.org/show_bug.cgi?id=907050

 #21611.

 > k) Is the Fetch API safe? It includes fetch events with mode=navigate,
 and Kathy and I are not sure if there are any linkability concerns with
 that API.
 > https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API

 This is already #16326. Or did you find something new we should look at?

 Additional things I found:

 l) Remaining things for offscreen canvas got implemented in
 https://bugzilla.mozilla.org/show_bug.cgi?id=1172796. We should make sure
 that they are disabled as well (I updated #18599).

 m) windows are maximized on first run on small screens:
 https://bugzilla.mozilla.org/show_bug.cgi?id=384336 I'll have that in mind
 while reviewing the rebased patches in #20680.

 n) There is a "What's new" item on the about dialog pointing to Mozilla
 resources: https://bugzilla.mozilla.org/show_bug.cgi?id=1047395 I guess we
 should point to our blog post instead. I opened #21613.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs