[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-128.2.0esr-14.0-1] 3 commits: fixup! Bug 42472: Spoof timezone in XSLT.

morgan pushed to branch tor-browser-128.2.0esr-14.0-1 at The Tor Project / Applications / Tor Browser

Commits:

600fa3e4

by Pier Angelo Vendrame at 2024-08-27T09:53:22+02:00

fixup! Bug 42472: Spoof timezone in XSLT.

Revert "Bug 42472: Spoof timezone in XSLT."

This reverts commit 7bdf1f4f6cd90346da288435564ca67d1b0e58e5.

fb25351a

by Fatih at 2024-08-27T09:53:53+02:00

Bug 1891690: Return GMT when RFPTarget::JSDateTimeUTC is enabled. r=timhuang

Differential Revision: https://phabricator.services.mozilla.com/D216411

365873be

by Fatih at 2024-08-27T09:54:19+02:00

Bug 1912129: Reduce time precision for EXSLT date time function. r=timhuang

Differential Revision: https://phabricator.services.mozilla.com/D218783

4 changed files:

browser/components/resistfingerprinting/test/browser/browser.toml
+ browser/components/resistfingerprinting/test/browser/browser_exslt_time_precision.js
+ browser/components/resistfingerprinting/test/browser/browser_exslt_timezone_load.js
dom/xslt/xslt/txEXSLTFunctions.cpp

Changes:

browser/components/resistfingerprinting/test/browser/browser.toml

@@ -196,3 +196,7 @@ lineno = "172"
  ["browser_timezone.js"]
  lineno = "176"
++
 +["browser_exslt_timezone_load.js"]
++
 +["browser_exslt_time_precision.js"]

browser/components/resistfingerprinting/test/browser/browser_exslt_time_precision.js

 +/**
 + * Bug 1912129 - A test case for verifying EXSLT date will report second-precise
 + *               time fingerprinting resistance is enabled.
 + */
++
 +function getTime(tab) {
 +  const extractTime = function () {
 +    const xslText = `
 +    <xsl:stylesheet version="1.0"
 +                    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 +                    xmlns:date="http://exslt.org/dates-and-times"
 +                    extension-element-prefixes="date">
 +      <xsl:output method="text" />
 +      <xsl:template match="/">
 +        <xsl:value-of select="date:date-time()" />
 +      </xsl:template>
 +    </xsl:stylesheet>`;
++
 +    const parser = new DOMParser();
 +    const xsltProcessor = new XSLTProcessor();
 +    const xslStylesheet = parser.parseFromString(xslText, "application/xml");
 +    xsltProcessor.importStylesheet(xslStylesheet);
 +    const xmlDoc = parser.parseFromString("<test />", "application/xml");
 +    const styledDoc = xsltProcessor.transformToDocument(xmlDoc);
 +    const time = styledDoc.firstChild.textContent;
++
 +    return time;
 +  };
++
 +  const extractTimeExpr = `(${extractTime.toString()})();`;
++
 +  return SpecialPowers.spawn(
 +    tab.linkedBrowser,
 +    [extractTimeExpr],
 +    async funccode => content.eval(funccode)
 +  );
 +}
++
 +add_task(async function test_new_window() {
 +  await SpecialPowers.pushPrefEnv({
 +    set: [
 +      ["privacy.fingerprintingProtection", true],
 +      ["privacy.fingerprintingProtection.overrides", "+ReduceTimerPrecision"],
 +    ],
 +  });
++
 +  // Open a tab for extracting the time from XSLT.
 +  const tab = await BrowserTestUtils.openNewForegroundTab({
 +    gBrowser,
 +    opening: TEST_PATH + "file_dummy.html",
 +    forceNewProcess: true,
 +  });
++
 +  for (let i = 0; i < 10; i++) {
 +    // eslint-disable-next-line mozilla/no-arbitrary-setTimeout
 +    await new Promise(res => setTimeout(res, 25));
++
 +    // The regex could be a lot shorter (e.g. /\.(\d{3})/) but I wrote the whole
 +    // thing to make sure the time is in the expected format and to allow us
 +    // to re-use this regex in the future if we need to.
 +    // Note: Date format is not locale dependent.
 +    const regex = /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.(\d{3})[-+]\d{2}:\d{2}/;
 +    const time = await getTime(tab);
 +    const [, milliseconds] = time.match(regex);
++
 +    is(milliseconds, "000", "Date's precision was reduced to seconds.");
 +  }
++
 +  BrowserTestUtils.removeTab(tab);
 +  await SpecialPowers.popPrefEnv();
 +});

browser/components/resistfingerprinting/test/browser/browser_exslt_timezone_load.js

 +/**
 + * Bug 1891690 - A test case for verifying EXSLT date will use Atlantic/Reykjavik
 + *               timezone (GMT and "real" equivalent to UTC) after fingerprinting
 + *               resistance is enabled.
 + */
++
 +function getTimeZone(tab) {
 +  const extractTime = function () {
 +    const xslText = `
 +    <xsl:stylesheet version="1.0"
 +                    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 +                    xmlns:date="http://exslt.org/dates-and-times"
 +                    extension-element-prefixes="date">
 +      <xsl:output method="text" />
 +      <xsl:template match="/">
 +        <xsl:value-of select="date:date-time()" />
 +      </xsl:template>
 +    </xsl:stylesheet>`;
++
 +    const parser = new DOMParser();
 +    const xsltProcessor = new XSLTProcessor();
 +    const xslStylesheet = parser.parseFromString(xslText, "application/xml");
 +    xsltProcessor.importStylesheet(xslStylesheet);
 +    const xmlDoc = parser.parseFromString("<test />", "application/xml");
 +    const styledDoc = xsltProcessor.transformToDocument(xmlDoc);
 +    const time = styledDoc.firstChild.textContent;
++
 +    return time;
 +  };
++
 +  const extractTimeExpr = `(${extractTime.toString()})();`;
++
 +  return SpecialPowers.spawn(
 +    tab.linkedBrowser,
 +    [extractTimeExpr],
 +    async funccode => content.eval(funccode)
 +  );
 +}
++
 +add_task(async function test_new_window() {
 +  await SpecialPowers.pushPrefEnv({
 +    set: [
 +      ["privacy.fingerprintingProtection", true],
 +      ["privacy.fingerprintingProtection.overrides", "+JSDateTimeUTC"],
 +    ],
 +  });
++
 +  // Open a tab for extracting the time zone from XSLT.
 +  const tab = await BrowserTestUtils.openNewForegroundTab({
 +    gBrowser,
 +    opening: TEST_PATH + "file_dummy.html",
 +    forceNewProcess: true,
 +  });
++
 +  SpecialPowers.Cu.getJSTestingFunctions().setTimeZone("America/Toronto");
 +  const timeZone = await getTimeZone(tab);
++
 +  ok(timeZone.endsWith("+00:00"), "Timezone was spoofed.");
++
 +  BrowserTestUtils.removeTab(tab);
 +  await SpecialPowers.popPrefEnv();
 +});

dom/xslt/xslt/txEXSLTFunctions.cpp

@@ -590,14 +590,22 @@ nsresult txEXSLTFunctionCall::evaluate(txIEvalContext* aContext,
        // http://exslt.org/date/functions/date-time/
        PRExplodedTime prtime;
 -      PR_ExplodeTime(PR_Now(),
 -                     nsContentUtils::ShouldResistFingerprinting(
 -                         "We are not allowed to access the document at this "
 -                         "stage (we are given a txEarlyEvalContext context).",
 -                         RFPTarget::JSDateTimeUTC)
 -                         ? PR_GMTParameters
 -                         : PR_LocalTimeParameters,
 -                     &prtime);
 +      Document* sourceDoc = getSourceDocument(aContext);
 +      NS_ENSURE_STATE(sourceDoc);
++
 +      PRTimeParamFn timezone =
 +          sourceDoc->ShouldResistFingerprinting(RFPTarget::JSDateTimeUTC)
 +              ? PR_GMTParameters
 +              : PR_LocalTimeParameters;
++
 +      PRTime time =
 +          sourceDoc->ShouldResistFingerprinting(RFPTarget::ReduceTimerPrecision)
 +              ? (PRTime)nsRFPService::ReduceTimePrecisionAsSecs(
 +                    (double)PR_Now() / PR_USEC_PER_SEC, 0,
 +                    RTPCallerType::ResistFingerprinting) *
 +                    PR_USEC_PER_SEC
 +              : PR_Now();
 +      PR_ExplodeTime(time, timezone, &prtime);
        int32_t offset =
            (prtime.tm_params.tp_gmt_offset + prtime.tm_params.tp_dst_offset) /
@@ -641,7 +649,7 @@ Expr::ResultType txEXSLTFunctionCall::getReturnType() {
  bool txEXSLTFunctionCall::isSensitiveTo(ContextSensitivity aContext) {
    if (mType == txEXSLTType::NODE_SET || mType == txEXSLTType::SPLIT ||
 -      mType == txEXSLTType::TOKENIZE) {
 +      mType == txEXSLTType::TOKENIZE || mType == txEXSLTType::DATE_TIME) {
      return (aContext & PRIVATE_CONTEXT) || argsSensitiveTo(aContext);
+   }
    return argsSensitiveTo(aContext);