[tor-bugs] #18560 [Applications/Tor Browser]: WEBGL_debug_renderer_info extension may leak information about graphics driver

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue May 2 07:53:02 UTC 2017 

#18560: WEBGL_debug_renderer_info extension may leak information about graphics
driver
------------------------------------------+--------------------------
 Reporter:  gk                            |          Owner:  tbb-team
     Type:  defect                        |         Status:  assigned
 Priority:  Medium                        |      Milestone:
Component:  Applications/Tor Browser      |        Version:
 Severity:  Normal                        |     Resolution:
 Keywords:  ff59-esr, tbb-fingerprinting  |  Actual Points:
Parent ID:                                |         Points:
 Reviewer:                                |        Sponsor:  None
------------------------------------------+--------------------------
Changes (by gk):

 * keywords:  ff52-esr, tbb-fingerprinting, tbb-7.0-must-alpha => ff59-esr,
     tbb-fingerprinting
 * status:  needs_review => assigned
 * priority:  High => Medium


Comment:

 Replying to [comment:4 arthuredelstein]:
 > In 52ESR, this extension [https://dxr.mozilla.org/mozilla-
 esr52/rev/cb606065c4c1f021a03421eff069d64032cf9b4a/modules/libpref/init/all.js#4497
 remains disabled] in Beta and Release channels.

 Yes. This is gone with Firefox 53, though.

 > Moreover, in Tor Browser, we [https://gitweb.torproject.org/tor-
 browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-
 browser-52.1.0esr-7.0-2#n112 have] `pref("webgl.disable-extensions",
 true)`, which means that all webgl extensions are disabled (including
 WEBGL_debug_renderer_info).
 >
 > To be extra sure, I manually confirmed in TBB 7.0a3 that entering
 > {{{
 > document.createElement("canvas").getContext("experimental-
 webgl").getSupportedExtensions();
 > }}}
 > in a content JS console returns an empty array.
 >
 > We could postpone this ticket again to ff59-esr, but as long as we are
 disabling all extensions, I think the conclusion will be the same.

 I tend to agree. Might be worth, though, double-checking that this is
 actually the case (we could review the webgl extensions disabling code
 then).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18560#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list