[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr



#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
--------------------------------------------+--------------------------
 Reporter:  gk                              |          Owner:  tbb-team
     Type:  task                            |         Status:  new
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  ff52-esr, TorBrowserTeam201702  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:  Sponsor4
--------------------------------------------+--------------------------

Comment (by mcs):

 Kathy and I reviewed the Firefox 46 and 47 changes (by looking at the
 "Firefox ## for Developers" web pages, the target_milestone=mozilla##
 bugs, and the target_milestone=Firefox%20## bugs). Before we move on to
 48-52, we wanted to note here what we found so far:

 a) `DateTimeFormat.formatToParts`. We should verify that timezone and/or
 locale not leaked to web content by new API.
 https://bugzilla.mozilla.org/show_bug.cgi?id=1289340
 https://developer.mozilla.org/en-
 US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat/formatToParts

 b) Some changes were made to device orientation events. We should ensure
 that orientation is not leaked to web content.
 https://bugzilla.mozilla.org/show_bug.cgi?id=1205649

 c) The Permissions API is now enabled. Kathy and I think we should turn it
 off to prevent fingerprinting based on choices that users make.
 Unfortunately, the `dom.permissions.enabled` pref was removed.
 https://lists.mozilla.org/pipermail/dev-platform/2015-August/011466.html
 https://bugzilla.mozilla.org/show_bug.cgi?id=1233702

 d) TouchEvents are now enabled on Windows and Linux. I already poked
 #10286.

 e) window.showModalDialog() is not available when e10s is enabled. Should
 we always make it unavailable (even when e10s is disabled)? Or maybe we
 don't care because we will probably enable e10s for all Tor Browser users
 or none.
 https://bugzilla.mozilla.org/show_bug.cgi?id=1234700

 f) Looking through the bug lists reminded us about Web Animations possibly
 providing a high resolution timing source. But we do have #18273 for that
 issue.

 g) Similarly, we were reminded about WebAudio. See #13017.

 h) We will need to set `network.dns.blockDotOnion = false`.

 i) Should we disable about:profiles? Some of the functionality will
 confused our users, e.g., "Create New Profile" which may not work
 correctly on Linux and Windows and "Restart with Add-ons Disabled."
 https://bugzilla.mozilla.org/show_bug.cgi?id=1235402

 j) A DNS lookup feature was added to about:networking DNS. We should
 verify that it respects the browser proxy settings.
 https://bugzilla.mozilla.org/show_bug.cgi?id=907050

 k) Is the Fetch API safe? It includes fetch events with mode=navigate, and
 Kathy and I are not sure if there are any linkability concerns with that
 API.
 https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs