[tor-bugs] #29563 [Applications]: css line-height revisted [at least zoom and linux]

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Feb 23 07:41:21 UTC 2019 

#29563: css line-height revisted [at least zoom and linux]
-----------------------------------+------------------------------
 Reporter:  Thorin                 |          Owner:  (none)
     Type:  defect                 |         Status:  new
 Priority:  Medium                 |      Component:  Applications
  Version:                         |       Severity:  Normal
 Keywords:  tbb-fingerprinting-os  |  Actual Points:
Parent ID:                         |         Points:
 Reviewer:                         |        Sponsor:
-----------------------------------+------------------------------
 The mozilla upstream ticket is
 https://bugzilla.mozilla.org/show_bug.cgi?id=1397994

 Following on from #23104, it seems that when applied on various (preset)
 zoom levels, that there are differences between Windows and Linux (I do
 not have any macOS or macOS X machines to test on)

 Tor Browser (and RFP in Firefox) actively ignores site specific zoom
 levels, and new tabs/windows will open at 100% zoom. But that does not
 stop someone from using zoom, and indeed the setting stays for the current
 tab when re-used (even when the domain changes - i.e it is a per tab
 setting in this context). Examples are poorly designed websites, small
 devices, users with poor eyesight - where the user is effectively forced
 to zoom (in or out)

 Looking at some test results: I used
 https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#useragent
 - see the `css line-height` field (and feel free to zoom and refresh) -
 also see the attachment for some spreadsheet results (png), which is not
 definitive, but enough to draw some conclusions.

 Clearly the mitigation in Windows covered all zoom settings, so was this a
 design decision? In Linux, it seems as if zoom was only factored in for
 `50`, `100`, `150`, `200`, and `300` (of the preset zoom levels). Is this
 because of some limitation in Linux?

 As a result, so far, at least 8 zoom levels in TBB on Linux are unique and
 leak the OS as Linux. The 9th zoom level not covered (`30%`) is not unique
 in Firefox overall, but is unique on Tor Browser (it is trivial to detect
 if Tor Browser is being used, so this is in effect a unique value as well)

 Note: for Tor Browser, you're not concerned with the Firefox values, I'm
 just showing them so you can see that outside of 100% zoom, without FP'ing
 protection, some results are not necessarily OS specific: e.g. FF62+
 Windows and Linux are identical at `50`, `67`, `80`, `90`, `150`, and
 `240%`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29563>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list