[tbb-bugs] #13875 [Tor Browser]: Tor Browser DPI spoofing omitted window.devicePixelRatio

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue May 5 23:08:34 UTC 2015 

#13875: Tor Browser DPI spoofing omitted window.devicePixelRatio
-------------------------+-------------------------------------------------
     Reporter:  isis     |      Owner:  tbb-team
         Type:  defect   |     Status:  needs_review
     Priority:  major    |  Milestone:
    Component:  Tor      |    Version:
  Browser                |   Keywords:  tbb-fingerprinting-resolution, tbb-
   Resolution:           |  testcase, tbb-firefox-patch,
Actual Points:           |  TorBrowserTeam201505R, MikePerry201505R
       Points:           |  Parent ID:
-------------------------+-------------------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:21 mikeperry]:
 > My typical question with this IsCaller stuff: Is this property exported
 to WebSockets? What happens there?

 Are you thinking of WebWorkers? I ran a quick manual test, and
 `devicePixelRatio` is not exposed to WebWorkers.

 > Also, how about scripts inside blob URIs from the URL bar? And blob URIs
 from an iframe?

 Yeah, again I think you're right that the IsCallerChrome() call is
 dangerous, and I should have thought about these possibilities more. Also
 it worries me that using IsCallerChrome to prevent leaks to content is not
 very future-proof, even if we can confirm that it is airtight now.

 An alternative method for getting the "true zoom level" of a content
 window, instead of
 {{{
 #!javascript
 let trueZoom = gBrowser.contentWindow.devicePixelRatio;
 }}}
 is to call
 {{{
 #!js
 let trueZoom = gBrowser.window.QueryInterface(Ci.nsIInterfaceRequestor)
                        .getInterface(Ci.nsIDOMWindowUtils)
                        .screenPixelsPerCSSPixel;
 }}}
 So here's an alternative patch that leaves
 `nsGlobalWindow::GetDevicePixelRatio` with the `IsChrome` call and instead
 fixes `nsDOMWindowUtils::GetScreenPixelsPerCSSPixel` so that it isn't
 spoofed when "privacy.resistFingerprinting" is activated. The latter call
 is only available from chrome code.

 https://github.com/arthuredelstein/tor-
 browser/commit/4c316cacb6383c9b60606630ef331301fa51da10

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13875#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list