[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #19048 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF45esr
#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: task | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: ff52-esr, tbb-7.0-must, | Actual Points:
TorBrowserTeam201703, GeorgKoppen201703 |
Parent ID: | Points:
Reviewer: | Sponsor:
| Sponsor4
-------------------------------------------------+-------------------------
Comment (by gk):
Replying to [comment:13 mcs]:
> Here are a few items for Firefox 50:
>
> a) We need to determine if the File and Directory Entries API adds any
fingerprinting or linkability risk.
> https://developer.mozilla.org/en-
US/docs/Web/API/File_and_Directory_Entries_API
That is #21742.
> b) When reviewing bugs, Kathy and I noticed that there seem to be a lot
of crasher bugs associated with DOM Animation, e.g., UAF bugs. I think
this is disabled by default via:
> dom.animations-api.core.enabled = false
> or maybe we also need to add the following if we want to turn it off
completely?
> dom.animations-api.element-animate.enabled
> This might be something for the security slider eventually.
Have you checked whether those crasher bugs made it ever into releases?
The current metric for the slider was looking at sec-high and sec-critical
bugs that got fixed on the release channel. Just looking at mozilla50
might spoil our metrics.
> c) As part of our release procedures, do we double-check the HPKP
expiration? We do not want to have a repeat of the problem where the pins
expired. Mozilla seems to have bugs for each release, e.g.,
> https://bugzilla.mozilla.org/show_bug.cgi?id=1307530
Hey, that got mentioned in the mozilla49 notes already (see my reply in
the previous comment). :)
Additional things I have:
d) The HTML Drag and Drop API is new and enabled by default allowing
multiple items to being dragged and dropped (see:
https://bugzilla.mozilla.org/show_bug.cgi?id=906420,
https://bugzilla.mozilla.org/show_bug.cgi?id=1289255, and
https://bugzilla.mozilla.org/show_bug.cgi?id=1298243). I opened #21741.
e) Mozilla ships an own emoji font on Windows/Linux, we should make sure
that does not interfere with our font fingerprinting defense (see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1231701). That's #21740.
f) SPDY 3.1 is disabled, we can get rid of our pref we set
(https://bugzilla.mozilla.org/show_bug.cgi?id=1287132). That is actually
ripped out in Firefox 51. I opened #21739.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs