[tor-bugs] #31206 [Applications/Tor Browser]: http://ip-check.info detects browser window size with JS disabled
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jul 19 18:55:44 UTC 2019
#31206: http://ip-check.info detects browser window size with JS disabled
--------------------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: reopened
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by Thorin):
Blocking JS can thwart methods used to get entropy but the threat from CSS
is not the same. JS is far more powerful.
When allowing JS (or CSS in this case), you always look at a worse case
scenarios. Tor Browser should open at `1000px` x `100s` in height up to
`1000px`. And you are not meant to resize. This limits the buckets Tor
Browsers users are in. CSS @media is not the problem: the problem is users
resizing their browser.
Now we have letterboxing (in alpha), and the inner window will snap to
`200s` x `100s` (I'm simplifying: there's stepping sizes) and now users
can resize their browser, go full-screen, toggle on/off the inspector,
find bar, bookmarks toolbar, sidebar, etc. Go nuts with it! While their
will be more "buckets" Tor Browser users fall into, it is still limited
and increases usability.
Letterboxing makes this issue about css `@media` a moot point - no matter
what you do, your css media inner window measurements will be protected
(excluding as you transition from one size to another = not a leak).
Please close the ticket.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31206#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list