[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr



#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201703, GeorgKoppen201703        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:14 mcs]:
 > Finally, here our our notes for Firefox 51 (we did not look at the
 Firefox 52 changes yet):
 >
 > a) We should verify that `TypedArray.toLocaleString()` does not leak
 locale information.
 >    https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/toLocaleString

 There are other objects that have `toLocaleString()` as well, like `Array`
 (https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/Array/toLocaleString) or
 `Number` (https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/Number/toLocaleString). I
 have a ticket for all of them: #21784.

 > b) We should verify that the new `<input>` types do not leak locale
 information, e.g., `<input type="time">`, `type="date"`, `type="week"`,
 etc.
 >  https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input

 Hm. The docs say these are not implemented yet and the linked bug
 (https://bugzilla.mozilla.org/show_bug.cgi?id=888320) seems to second
 that. What made you believe they are wrong?

 > c) WebGL2 is enabled by default which may enable new fingerprinting
 opportunities:
 >  https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API

 This is #16404.

 > d) HTTP Opportunistic Security may add some linkability risks, although
 it seems okay at a glance.
 >  http://httpwg.org/http-extensions/opsec.html
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1301117

 It seems that needs HTTP2/Alternative Services being enabled which is both
 not the case for us?

 > e) Do we want to disable Web Audio due to fingerprinting risks? Mozilla
 keeps adding more functionality. Maybe this is already covered by #13017.

 I think having this covered by #13017 seems okay for me. We should keep a
 close eye on that one, though. FWIW: We got a pref to disable that in
 https://bugzilla.mozilla.org/show_bug.cgi?id=1288359 (+ there is some
 discussion on that bugs) we might want to use. I updated #13017
 accordingly and flag it for closer ff52-esr scrutiny.

 > f) There are some new Storage APIs that we should look at, e.g.,
 >  https://developer.mozilla.org/en-
 US/docs/Web/API/StorageManager/estimate
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1267941

 I have #21785 for that.

 Additionally, I have

 g) Check whether the Ambient Light Sensor event.value is properly rounded
 off: #21786.

 h) Make sure exposing the calendar information does not leak the locale:
 #21787.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs