[tbb-commits] [Git][tpo/applications/tor-browser][base-browser-128.2.0esr-14.0-1] 4 commits: fixup! Bug 42472: Spoof timezone in XSLT.

Pier Angelo Vendrame (@pierov) git at gitlab.torproject.org
Mon Sep 2 09:56:41 UTC 2024 


Pier Angelo Vendrame pushed to branch base-browser-128.2.0esr-14.0-1 at The Tor Project / Applications / Tor Browser


Commits:
6b4e61a1 by Pier Angelo Vendrame at 2024-09-02T11:54:45+02:00
fixup! Bug 42472: Spoof timezone in XSLT.

Revert "Bug 42472: Spoof timezone in XSLT."

This reverts commit 7bdf1f4f6cd90346da288435564ca67d1b0e58e5.

- - - - -
79feae7c by Fatih at 2024-09-02T11:54:49+02:00
Bug 1891690: Return GMT when RFPTarget::JSDateTimeUTC is enabled. r=timhuang

Differential Revision: https://phabricator.services.mozilla.com/D216411
- - - - -
442dcc5e by Fatih at 2024-09-02T11:54:50+02:00
Bug 1912129: Reduce time precision for EXSLT date time function. r=timhuang

Differential Revision: https://phabricator.services.mozilla.com/D218783
- - - - -
cda055ab by Pier Angelo Vendrame at 2024-09-02T11:56:23+02:00
Bug 42774: Always hide the third-pary certs UI.

- - - - -


5 changed files:

- browser/components/preferences/privacy.js
- browser/components/resistfingerprinting/test/browser/browser.toml
- + browser/components/resistfingerprinting/test/browser/browser_exslt_time_precision.js
- + browser/components/resistfingerprinting/test/browser/browser_exslt_timezone_load.js
- dom/xslt/xslt/txEXSLTFunctions.cpp


Changes:

=====================================
browser/components/preferences/privacy.js
=====================================
@@ -505,7 +505,8 @@ var gPrivacyPane = {
     let canConfigureThirdPartyCerts =
       (AppConstants.platform == "win" || AppConstants.platform == "macosx") &&
       typeof Services.policies.getActivePolicies()?.Certificates
-        ?.ImportEnterpriseRoots == "undefined";
+        ?.ImportEnterpriseRoots == "undefined" &&
+      !AppConstants.BASE_BROWSER_VERSION;
 
     document.getElementById("certEnableThirdPartyToggleBox").hidden =
       !canConfigureThirdPartyCerts;


=====================================
browser/components/resistfingerprinting/test/browser/browser.toml
=====================================
@@ -196,3 +196,7 @@ lineno = "172"
 
 ["browser_timezone.js"]
 lineno = "176"
+
+["browser_exslt_timezone_load.js"]
+
+["browser_exslt_time_precision.js"]


=====================================
browser/components/resistfingerprinting/test/browser/browser_exslt_time_precision.js
=====================================
@@ -0,0 +1,71 @@
+/**
+ * Bug 1912129 - A test case for verifying EXSLT date will report second-precise
+ *               time fingerprinting resistance is enabled.
+ */
+
+function getTime(tab) {
+  const extractTime = function () {
+    const xslText = `
+    <xsl:stylesheet version="1.0"
+                    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                    xmlns:date="http://exslt.org/dates-and-times"
+                    extension-element-prefixes="date">
+      <xsl:output method="text" />
+      <xsl:template match="/">
+        <xsl:value-of select="date:date-time()" />
+      </xsl:template>
+    </xsl:stylesheet>`;
+
+    const parser = new DOMParser();
+    const xsltProcessor = new XSLTProcessor();
+    const xslStylesheet = parser.parseFromString(xslText, "application/xml");
+    xsltProcessor.importStylesheet(xslStylesheet);
+    const xmlDoc = parser.parseFromString("<test />", "application/xml");
+    const styledDoc = xsltProcessor.transformToDocument(xmlDoc);
+    const time = styledDoc.firstChild.textContent;
+
+    return time;
+  };
+
+  const extractTimeExpr = `(${extractTime.toString()})();`;
+
+  return SpecialPowers.spawn(
+    tab.linkedBrowser,
+    [extractTimeExpr],
+    async funccode => content.eval(funccode)
+  );
+}
+
+add_task(async function test_new_window() {
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      ["privacy.fingerprintingProtection", true],
+      ["privacy.fingerprintingProtection.overrides", "+ReduceTimerPrecision"],
+    ],
+  });
+
+  // Open a tab for extracting the time from XSLT.
+  const tab = await BrowserTestUtils.openNewForegroundTab({
+    gBrowser,
+    opening: TEST_PATH + "file_dummy.html",
+    forceNewProcess: true,
+  });
+
+  for (let i = 0; i < 10; i++) {
+    // eslint-disable-next-line mozilla/no-arbitrary-setTimeout
+    await new Promise(res => setTimeout(res, 25));
+
+    // The regex could be a lot shorter (e.g. /\.(\d{3})/) but I wrote the whole
+    // thing to make sure the time is in the expected format and to allow us
+    // to re-use this regex in the future if we need to.
+    // Note: Date format is not locale dependent.
+    const regex = /\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.(\d{3})[-+]\d{2}:\d{2}/;
+    const time = await getTime(tab);
+    const [, milliseconds] = time.match(regex);
+
+    is(milliseconds, "000", "Date's precision was reduced to seconds.");
+  }
+
+  BrowserTestUtils.removeTab(tab);
+  await SpecialPowers.popPrefEnv();
+});


=====================================
browser/components/resistfingerprinting/test/browser/browser_exslt_timezone_load.js
=====================================
@@ -0,0 +1,62 @@
+/**
+ * Bug 1891690 - A test case for verifying EXSLT date will use Atlantic/Reykjavik
+ *               timezone (GMT and "real" equivalent to UTC) after fingerprinting
+ *               resistance is enabled.
+ */
+
+function getTimeZone(tab) {
+  const extractTime = function () {
+    const xslText = `
+    <xsl:stylesheet version="1.0"
+                    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                    xmlns:date="http://exslt.org/dates-and-times"
+                    extension-element-prefixes="date">
+      <xsl:output method="text" />
+      <xsl:template match="/">
+        <xsl:value-of select="date:date-time()" />
+      </xsl:template>
+    </xsl:stylesheet>`;
+
+    const parser = new DOMParser();
+    const xsltProcessor = new XSLTProcessor();
+    const xslStylesheet = parser.parseFromString(xslText, "application/xml");
+    xsltProcessor.importStylesheet(xslStylesheet);
+    const xmlDoc = parser.parseFromString("<test />", "application/xml");
+    const styledDoc = xsltProcessor.transformToDocument(xmlDoc);
+    const time = styledDoc.firstChild.textContent;
+
+    return time;
+  };
+
+  const extractTimeExpr = `(${extractTime.toString()})();`;
+
+  return SpecialPowers.spawn(
+    tab.linkedBrowser,
+    [extractTimeExpr],
+    async funccode => content.eval(funccode)
+  );
+}
+
+add_task(async function test_new_window() {
+  await SpecialPowers.pushPrefEnv({
+    set: [
+      ["privacy.fingerprintingProtection", true],
+      ["privacy.fingerprintingProtection.overrides", "+JSDateTimeUTC"],
+    ],
+  });
+
+  // Open a tab for extracting the time zone from XSLT.
+  const tab = await BrowserTestUtils.openNewForegroundTab({
+    gBrowser,
+    opening: TEST_PATH + "file_dummy.html",
+    forceNewProcess: true,
+  });
+
+  SpecialPowers.Cu.getJSTestingFunctions().setTimeZone("America/Toronto");
+  const timeZone = await getTimeZone(tab);
+
+  ok(timeZone.endsWith("+00:00"), "Timezone was spoofed.");
+
+  BrowserTestUtils.removeTab(tab);
+  await SpecialPowers.popPrefEnv();
+});


=====================================
dom/xslt/xslt/txEXSLTFunctions.cpp
=====================================
@@ -590,14 +590,22 @@ nsresult txEXSLTFunctionCall::evaluate(txIEvalContext* aContext,
       // http://exslt.org/date/functions/date-time/
 
       PRExplodedTime prtime;
-      PR_ExplodeTime(PR_Now(),
-                     nsContentUtils::ShouldResistFingerprinting(
-                         "We are not allowed to access the document at this "
-                         "stage (we are given a txEarlyEvalContext context).",
-                         RFPTarget::JSDateTimeUTC)
-                         ? PR_GMTParameters
-                         : PR_LocalTimeParameters,
-                     &prtime);
+      Document* sourceDoc = getSourceDocument(aContext);
+      NS_ENSURE_STATE(sourceDoc);
+
+      PRTimeParamFn timezone =
+          sourceDoc->ShouldResistFingerprinting(RFPTarget::JSDateTimeUTC)
+              ? PR_GMTParameters
+              : PR_LocalTimeParameters;
+
+      PRTime time =
+          sourceDoc->ShouldResistFingerprinting(RFPTarget::ReduceTimerPrecision)
+              ? (PRTime)nsRFPService::ReduceTimePrecisionAsSecs(
+                    (double)PR_Now() / PR_USEC_PER_SEC, 0,
+                    RTPCallerType::ResistFingerprinting) *
+                    PR_USEC_PER_SEC
+              : PR_Now();
+      PR_ExplodeTime(time, timezone, &prtime);
 
       int32_t offset =
           (prtime.tm_params.tp_gmt_offset + prtime.tm_params.tp_dst_offset) /
@@ -641,7 +649,7 @@ Expr::ResultType txEXSLTFunctionCall::getReturnType() {
 
 bool txEXSLTFunctionCall::isSensitiveTo(ContextSensitivity aContext) {
   if (mType == txEXSLTType::NODE_SET || mType == txEXSLTType::SPLIT ||
-      mType == txEXSLTType::TOKENIZE) {
+      mType == txEXSLTType::TOKENIZE || mType == txEXSLTType::DATE_TIME) {
     return (aContext & PRIVATE_CONTEXT) || argsSensitiveTo(aContext);
   }
   return argsSensitiveTo(aContext);



View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/bd93d2a71d3d40f0c8c05c18106d0f2ff5484c8d...cda055abc166920b28d997d09a20e5be3d8ddd84

-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/bd93d2a71d3d40f0c8c05c18106d0f2ff5484c8d...cda055abc166920b28d997d09a20e5be3d8ddd84
You're receiving this email because of your account on gitlab.torproject.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-commits/attachments/20240902/cd635453/attachment-0001.htm>

More information about the tbb-commits mailing list