[tor-bugs] #17207 [Tor Browser]: Testing navigator.mimeTypes for known names can reveal info and increase fingerprinting risk

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 29 20:25:38 UTC 2015 

#17207: Testing navigator.mimeTypes for known names can reveal info and increase
fingerprinting risk
-------------------------------------------------+-------------------------
 Reporter:  TemporaryNick                        |          Owner:
     Type:  defect                               |  arthuredelstein
 Priority:  High                                 |         Status:
Component:  Tor Browser                          |  needs_review
 Severity:  Major                                |      Milestone:
 Keywords:  tbb-fingerprinting,                  |        Version:
  TorBrowserTeam201510R                          |     Resolution:
Parent ID:                                       |  Actual Points:
  Sponsor:                                       |         Points:
-------------------------------------------------+-------------------------
Changes (by arthuredelstein):

 * status:  needs_revision => needs_review


Comment:

 Replying to [comment:14 gk]:
 > First round of comments:
 >
 > 1) You probably want to do something like `#include "nsContentUtils.h"`
 in nsPluginArray.cpp, too (I wonder how you got it compiled without
 actually).

 I wonder that too. Apparently it is included in a header file somewhere.
 I've added `#include "nsContentUtils.h"` in nsPluginArray.cpp for clarity.

 > 2) I don't understand
 > {{{
 >   // TODO: The following line should be active in Firefox 45
 > +  // isnot(navigator.mimeTypes.length, 0, "navigator.mimeTypes array
 should be 0");
 > }}}
 > .
 >
 > What does it mean? We don't need that test yet? If so, why not? Or does
 it mean we can't run that test right now because XXX would break it? If so
 what fixes this (Do you have a bug number?)? And does it mean we are save
 for now with respect to leaking the length of the supported MIME types? If
 I am guessing right, the answer lies in
 https://bugzilla.mozilla.org/show_bug.cgi?id=757726 which got resolved as
 WON'TFIX. If that is true could you add a hint about that in the test
 explaining what is going on?
 >
 > 3) s/prmoise/promise/ in the test

 Thanks. I've fixed these things:
 https://github.com/arthuredelstein/tor-browser/commits/17207+2

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17207#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list