[tor-bugs] #12621 [Tor Browser]: Review and audit Firefox changes since Firefox 24
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Aug 27 09:06:13 UTC 2014
#12621: Review and audit Firefox changes since Firefox 24
-------------------------+-------------------------------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: major | Milestone:
Component: Tor | Version:
Browser | Keywords: MikePerry201408,
Resolution: | TorBrowserTeam201408, ff31-esr, tbb-rebase,
Actual Points: | tbb-firefox-patch
Points: | Parent ID:
-------------------------+-------------------------------------------------
Comment (by mikeperry):
Ok, here are my notes from the review of the developer docs and the
undocumented bugs, by Firefox version:
- FF25:
- Fingerprintable:
- https://developer.mozilla.org/en-
US/docs/Web/Guide/CSS/Media_queries#-moz-os-version
- We probably should kill all of the Mozilla media query
extensions.
They all suck.
- -moz-osx-font-smoothing:
https://bugzilla.mozilla.org/show_bug.cgi?id=857142
- HTMLCanvas.toBlob() changes (and other new APIs?)
- https://developer.mozilla.org/en-
US/docs/Web/API/CanvasRenderingContext2D
- https://developer.mozilla.org/en-US/docs/Web/API/ImageData
- Maybe fingerprintable:
- https://developer.mozilla.org/en-US/docs/Web_Audio_API
- AudioBuffer.copyTo/FromBuffer and related APIs might allow
fingerprinting if
OS-dependent libraries are used for FFT and other effect
generation
- https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/Math
- High-precision Math routines might allow OS/version fingeprinting
- WebGL1 extensions become features:
https://bugzilla.mozilla.org/show_bug.cgi?id=890379
- FF26:
- Fingerprintable:
- https://developer.mozilla.org/en-US/docs/Web/API/Screen.orientation
- FF27:
- Maybe fingerprintable:
- https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input
#attr-type
- Some of these field values may be locale-fingerprintable?
- FF28:
- Maybe fingerprintable:
- https://developer.mozilla.org/en-US/docs/Web/CSS/font-variant-
ligatures
- Conflicts:
- window.screenX/Y reports CSS pixels:
https://bugzilla.mozilla.org/show_bug.cgi?id=943668
- Ensure navigator useragent/platform elements are still spoofed in
workers:
https://bugzilla.mozilla.org/show_bug.cgi?id=925847
- FF29:
- Fingerprinting:
- https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Reference/Global_Objects/Intl
- http://www.ecma-international.org/ecma-402/1.0/
- String/Number/Date all have *locale* versions
- https://developer.mozilla.org/en-US/docs/Web/Guide/API/Gamepad
- Hint that JS wants to read canvas:
https://bugzilla.mozilla.org/show_bug.cgi?id=884226
- FF30:
- Maybe fingerprintable:
- Canvas HitRegions?
- https://bugzilla.mozilla.org/show_bug.cgi?id=966591
- Proxy safety:
- Is Gstreamer proxy-safe?
- Maybe tracking:
- Can content-created elements persist? Probably not.
- https://bugzilla.mozilla.org/show_bug.cgi?id=856140
- FF31:
- Resource timing: https://bugzilla.mozilla.org/show_bug.cgi?id=822480
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12621#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list