Re: [tor-bugs] #21569 [Applications/Tor Browser]: Investigate and neuter fingerprinting potential of Permissions API

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#21569: Investigate and neuter fingerprinting potential of Permissions API
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:
                                                 |  arthuredelstein
     Type:  task                                 |         Status:
                                                 |  needs_information
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must-alpha,        |  Actual Points:
  TorBrowserTeam201705R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4
-------------------------------------------------+-------------------------

Comment (by arthuredelstein):

 Replying to [comment:9 mcs]:
 > Kathy and I started to review this but got stuck on a couple of things:
 > * Where is the file `file_firstPartySpecial.html`?
 > * Should the commented out lines (e.g., for geolocation) be removed from
 `browser_permissions.js`?
 > * `PrincipalOriginAttributes::StripUserContextId()` is now an empty
 function. Is that correct?

 Thanks for noticing these things. I have cleaned them up now. Here's the
 new version:
 https://github.com/arthuredelstein/tor-browser/commit/21569+4

 Note here I am enabling isolation of permissions both by first party
 domain and container ID. As Tor Browser doesn't use containers, the change
 to container behavior should have no effect. But I took this approach
 (changing both things) because it makes writing a test with Mozilla's
 existing isolation test framework straightforward. If Mozilla decides to
 apply first-party isolation to permissions, but not to apply it to
 containers, then they will need to modify the framework. (Although my
 recommendation would be to isolate permissions by containers as well.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21569#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs