[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr



#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  task                                 |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201703, GeorgKoppen201703        |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:12 mcs]:
 > And here are our notes for Firefox 49:
 >
 > a) Graphite font rendering has been re-enabled. We need to decide if we
 want to disable it again or not.

 I opened #21726.

 > b) Mozilla switched to compiling with Intel SSE2. We could do the same,
 although it would mean that Tor Browser would not run on some really old
 CPUs. Mozilla modified their Windows installer to notify and refuse to
 install if the CPU does not support SSE2.
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1271759

 The updater part is #19316 and the installer #21704.

 > c) Kathy and I cannot think of any fingerprinting or linkability risks
 associated with the Web Speech API, but it is a big new thing:
 >  https://developer.mozilla.org/en-US/docs/Web/API/Web_Speech_API
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1268633

 Yeah, I think this is fine. Both synthesis and recognition seem to be off
 anyway. pref("media.webspeech.synth.enabled", false);
 pref("media.webspeech.recognition.enable", false);

 > d) We should verify that the "Network ID" is not even computed when
 Telemetry is disabled.  At least I would feel better if it was not.
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1240932

 #21727. Might have sandboxing implications as well as it needs
 /proc/net/arp access on Linux e.g.

 > e) The Bookmarks Toolbar is automatically shown when the user adds a
 bookmark to it. This will change the window size, but maybe this is used
 rarely enough that we do not care?
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1219788

 Hm. I think that falls under #16456

 > f) The window.isSecureContext API is interesting but may not add any
 fingerprinting or linkability risks. We should think about whether
 features that are being made "HTTPS only" should also be available on
 .onion sites.
 >  https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext

 Yes, this is a nice thing to look at, I opened #21728.

 > g) As part of our release procedures, do we double-check the HPKP
 expiration? Mozilla seems to have bugs for each release, e.g.,
 >  https://bugzilla.mozilla.org/show_bug.cgi?id=1307530

 No, we don't right now. Mozilla has HPKP enabled for addons.mozilla.org
 and other measures implemented
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1303127#c13). I think that's
 okay until we solve this properly.

 Other things I have:

 h) Flyweb landed which seems crazy (https://wiki.mozilla.org/FlyWeb and
 https://hacks.mozilla.org/2016/09/flyweb-pure-web-cross-device-
 interaction) but it is disabled in ESR 52 (`dom.flyweb.enabled` is
 `false`).

 i) Canvas CSS/SVG filters are enabled by default
 (https://bugzilla.mozilla.org/show_bug.cgi?id=1173545). We have #16341 for
 that.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs