[tor-bugs] #33534 [Applications/Tor Browser]: Review FF release notes from FF69 to latest (FF73)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 24 01:49:29 UTC 2020
#33534: Review FF release notes from FF69 to latest (FF73)
--------------------------------------+--------------------------------
Reporter: pospeselr | Owner: pospeselr
Type: defect | Status: assigned
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points: 12
Parent ID: | Points:
Reviewer: | Sponsor: Sponsor58-must
--------------------------------------+--------------------------------
Changes (by pospeselr):
* actualpoints: => 12
Comment:
{{{
Release notes:
69:
Enhanced Tracking Protection
- I believe we want to turn this off
Web Authentication HmacSecret extension via Windows Hello (for Windows
10 versions > May 2019)
- suspect this feature violates our disk avoidance requirements
32-bit Firefox on 64-bit OS users no-longer differentiable from 64-bit
Firefox on 64-bit OS
- navgator.userAgent, navigator.platform, navigator.oscpu props
- https://bugzilla.mozilla.org/show_bug.cgi?id=1559747
userChrome.css and userContent.css no longer enabled by default
- sure users will probably complain about this but seems like a
good thing
- toolkit.legacyUserProfileCustomizations.stylesheets -> true to
re-enable
69.0.1:
69.0.2:
69.0.3:
Seems like Firefox hooks into Windows Parental Controls (though
they are removed in newer versions of Windows 10?)
- I would think our build should stup out parental controls
and logging if we don't do this already
- https://bugzilla.mozilla.org/show_bug.cgi?id=1584613
- also has implementation for android and macos
70:
Firefox Lockwise (about:logins)
- violates disk avoidance
'Gift' icon in toolbar that spams users with feature updates/news
70.0.1:
71:
Picture-in-Picture video
- this feature is pretty awesome, but we should make sure it
doesn't expose fingerprinting surface
- can be toggled off with media.videocontrols.picture-in-
picture.enabled
72:
72.0.1:
72.0.2:
73:
Enhancement to Windows' High Contrast Mode, web renderer now adds
'readability backplate' of solid color between background and text
- possible finger-printing vector?
73.0.1:
74:
Developer release notes
69:
Lithuanian specific case rules (also exists for greek, dutch, others),
locale fingerprinting
- https://bugzilla.mozilla.org/show_bug.cgi?id=1322992
add-on api topsites.get() certainly seems sketchy af:
https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/WebExtensions/API/topSites/get
- updated to add includePinned and includeSearchShortcuts options
70:
71:
72:
73:
74:
TextMetrics interface updated, canvas fingerprinting?
- https://bugzilla.mozilla.org/show_bug.cgi?id=1102584
75:
Noteworthy Tickets:
69:
1584613 - Parental control detection doesn't work on Windows 10
- make sure parental access checks are always disabled
1559747 - User-Agent string needn't reveal a user is running 32-bit
Firefox on a 64-bit OS
- make sure this is also true for Tor Browser if it isn't already
1561307 - Add pref to enable/disable the What's New Panel feature
- make sure this panel is disabled
70:
1570732 - Disable DoH if parental controls detected
- followup on 1584613 to ensure we don't have parental controls in
Tor Browser
1561273 - network ID: ipv4NetworkId/scanArp returns gateway IP instead
of its MAC
- certainly seems like we shouldn't have runnable code that can
read the user's IP or MAC
1563319 - Enable the What's New UI when pref is enabled
- make sure this is disabled
1572389 - Add pref to show normal lock icon for sites with EV
(Extended Validation) certificates
- so looks like we can bring back full EV names if we so wish
1576246 - Set pref browser.urlbar.eventTelemetry.enabled by default
- make sure this is disabled
1567826 - Don't mark localhost as insecure
- this should be fine but the patch does touch the url icon logic
1572936 - Move EV cert UI out of URL Bar
- security.identityblock.show_extended_validation pref for showing
EV in url bar, we may want to enable this for onionsites?
71:
1539212 - implement readability backplate for high contrast mode
- probably fingerprinting vector for folks with high contrast mode
enabled as it adds a new rendering layer
1585920 - network ID: fix VPN detection on Linux for non ethernet
devices
- seems like we would never want to calculate a fingerprintable
'Network ID' in tor-browser, though I'm not sure what this is or what it
does ( about:networking#networkid )
1565004 - TRR: Check for VPN on Windows to use platform DNS
- make sure there's no leakage here
72:
73:
1604761 - Firefox doesn't apply gnome "Large Text" accessibility
setting to web content
- we probably don't want this fix if it can be used for
fingerprinting?
1602194 - Use a site's icon as the window icon on Windows
- We probably don't want to do this, esp if we do the work to hide
the tab title from the window manager
1604932 - Implement a Top Sites provider
- seems like it offers site suggestions or tracks your browsing or
something
1602187 - Cache site icons for use when the site is not loaded.
- we need to make sure we're not doing this/that this does not
occur for in private tabs
74:
75:
1532486 - Ensure media cache is memory-only when in Private Browsing
Mode
- we need to enable browser.privatebrowsing.forceMediaMemoryCache
pref
1614769 - Cache shaders to disk even if they are compiled after the
10th frame
- make sure these don't get cached when in private browsing mode
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33534#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list