[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #12609 [TorBrowserButton]: HTML5 fullscreen API makes TB fingerprintable, disable it!
#12609: HTML5 fullscreen API makes TB fingerprintable, disable it!
----------------------------------+--------------------------------
Reporter: cypherpunks | Owner: mikeperry
Type: defect | Status: needs_revision
Priority: major | Milestone:
Component: TorBrowserButton | Version:
Resolution: | Keywords: tbb-fingerprinting
Actual Points: | Parent ID:
Points: |
----------------------------------+--------------------------------
Comment (by faether):
Replying to [comment:18 mikeperry]:
> Just about the only thing that would convince me otherwise is if this
fingerprinting could be done invisibly, without the user becoming aware of
it via a full screen video suddenly playing.
It can. The element does not have to be a video, and we can exit
fullscreen mode right away (without user interaction) after the screen
dimensions have been extracted.
Here's a v2 proof of concept that leaves fullscreen after 500 ms.
Obviously this flicker could be reduced much further (100 ms worked fine,
10 ms didn't), but I'm not familiar enough with JavaScript and FS API race
conditions to try.
https://rawgit.com/anonymous/eceb468086375f942c2f/raw/36ea4683bdba6315e828026a9a97f23fba775320/fs-v2.html
It's true that the proper fix would be to open the permission dialog
''before'' entering fullscreen mode, but I hope we can use this pref as a
temporary bugfix until then.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12609#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs