#22074: Review Firefox Developer Docs and Undocumented bugs since FF52esr --------------------------------------------+-------------------------- Reporter: gk | Owner: tbb-team Type: task | Status: new Priority: Very High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ff60-esr, TorBrowserTeam201806 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------------+--------------------------
Comment (by mcs): Here are the items that Kathy and I found so far that we do not think are covered by other open tickets: https://bugzilla.mozilla.org/show_bug.cgi?id=1344669. Support for the `dom.enable_user_timing` pref, which we set to `false`, has been removed. We may need to restore support for this pref. https://bugzilla.mozilla.org/show_bug.cgi?id=1251161 https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Masking Support for CSS masks was added and may represent a fingerprinting risk (e.g., if behavior is different for different platforms or GPUs). https://bugzilla.mozilla.org/show_bug.cgi?id=1287983 https://bugzilla.mozilla.org/show_bug.cgi?id=1264125 https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Transitions Support for CSS Transition events was added (transitionstart, transitionrun, and transitioncancel). This may pose risks similar to CSS animations; see #18273. https://bugzilla.mozilla.org/show_bug.cgi?id=1250077 https://developer.mozilla.org/en- US/docs/Web/API/WEBGL_compressed_texture_astc https://bugzilla.mozilla.org/show_bug.cgi?id=1325113 https://developer.mozilla.org/en- US/docs/Web/API/WEBGL_compressed_texture_s3tc_srgb Support for these WebGL extensions was added. We should verify that both are disabled by our setting `webgl.disable-extensions` to `false`. https://bugzilla.mozilla.org/show_bug.cgi?id=1239100 https://developer.mozilla.org/en-US/docs/Web/API/SVGGeometryElement The SVGGeometryElement interface has been partially implemented. We should verify that it does not add a fingerprinting risk due to methods such as SVGGeometryElement.getPointAtLength() which locates a point part way along an arbitrary path. https://developer.mozilla.org/en-US/docs/Web/CSS/clip-path https://bugzilla.mozilla.org/show_bug.cgi?id=1247229 Support for CSS clip-path on shapes was added. We should verify that this does not have any associated fingerprinting risks. There was a pref to disable this feature, but support for the pref was removed during the ESR60 development cycle. https://bugzilla.mozilla.org/show_bug.cgi?id=1340655 As we know, support for HTTP 1.x pipelining was removed. We should remove the related prefs from browser/app/profile/000-tor-browser.js https://bugzilla.mozilla.org/show_bug.cgi?id=1399036 The date and time <input> types are now enabled. We should verify that this does not leak the user's locale, e.g., if the input field dimensions are different in different locales. There is a `dom.forms.datetime` pref that may be used to remove support for these <input> types. https://bugzilla.mozilla.org/show_bug.cgi?id=1314959 https://developer.mozilla.org/en-US/docs/Web/API/Background_Tasks_API window.requestIdleCallback() is now available. We should determine whether it may be used to learn too much about the performance of the user's computer/device, or if there are other timing leaks we want to avoid. This can be disabled by setting `dom.requestIdleCallback.enabled` to `false`. https://bugzilla.mozilla.org/show_bug.cgi?id=1321865 https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API Support the Intersection Observer API was added. It "provides a way to asynchronously observe changes in the intersection of a target element with an ancestor element or with a top-level document's viewport." and may add linkability or fingerprinting risks. https://bugzilla.mozilla.org/show_bug.cgi?id=1151421 The window.pageYOffset/pageXOffset/scrollX/scrollY properties now return data withe subpixel accuracy. We think this means "half pixels on a macOS Retina or other high resolution display." Does this pose any fingerprinting risks? We may already round these when `privacy.resistFingerprinting` is `true`. https://bugzilla.mozilla.org/show_bug.cgi?id=1364297 A name property was added to Worker() and SharedWorker(). We don't think this adds any new linkability risks though since workers can already communicate via messages. https://bugzilla.mozilla.org/show_bug.cgi?id=1222633 https://developer.mozilla.org/en-US/docs/Web/HTML/Preloading_content Support for <link rel="preload"> was added in Firefox 56 but it was disabled in Firefox 57 "because of various web compatibility issues." We should verify that this is still disabled or ensure that it is subject to first-party isolation. https://bugzilla.mozilla.org/show_bug.cgi?id=1379938 Support was added for some new system color values (`-moz-win-accentcolor` and `-moz-win-accentcolortext`) as well as a `-moz-windows-accent-color- in-titlebar` media query. It looks like the colors are correctly spoofed when `ui.use_standins_for_native_colors` = `true` but the media query may add a fingerprinting risk. https://bugzilla.mozilla.org/show_bug.cgi?id=1386974 Hardware-based encoding for media is now enabled by default on Android. We are not sure if this is a problem or not. https://bugzilla.mozilla.org/show_bug.cgi?id=1403318 https://developer.mozilla.org/en- US/docs/Web/JavaScript/Reference/Global_Objects/PluralRules https://bugzilla.mozilla.org/show_bug.cgi?id=1403319 https://developer.mozilla.org/en- US/docs/Web/JavaScript/Reference/Global_Objects/NumberFormat/formatToParts https://bugzilla.mozilla.org/show_bug.cgi?id=1386146 https://developer.mozilla.org/en- US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat Various international APIs and enhancements to existing APIs were added. We should review them to make sure locale info, etc. is not leaked when `privacy.resistFingerprinting` is `true`. https://bugzilla.mozilla.org/show_bug.cgi?id=1393691 Firefox now implements a TLS handshake timeout with a default value of 30 seconds. Previously, it was a lot longer (maybe the same as the system TCP connect timeout, which is typically on the order of 10 minutes). We should decide whether we need a longer timeout for Tor-based browsing, e.g., 2 or 3 minutes. https://bugzilla.mozilla.org/show_bug.cgi?id=577084 As of Firefox 59, Apple's HTTPS Live Streaming (HLS) protocol is supported on Android for both audio and video. We should audit this or at least look at how it is implemented. Mozilla says: "There is not currently any plan to implement it on Firefox Desktop." https://bugzilla.mozilla.org/show_bug.cgi?id=1432542 The Web Authentication API has been enabled. We should audit it or at least understand it better, or we should disable it by setting `security.webauth.webauthn` = `false`. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22074#comment:7> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs