[tor-talk] loading some content changes Tor Browser 9.0 to full screen
Matthew Finkel
matthew.finkel at gmail.com
Tue Nov 19 20:53:00 UTC 2019
Hi!
Sorry for the delay, thanks for your questions.
On Tue, Nov 5, 2019 at 9:16 AM Joe <joebtfsplk at gmx.com> wrote:
>
> In TBB 9.0, should about:config "full-screen-api.enabled" be "true?"
> It is =true by default, in my auto-updated TBB 9.0, in Linux Mint.
Yes.
>
> I also see similar (default value) prefs, that may / may not be involved
> here:
> full-screen-api.allow-trusted-requests-only = true
> (does that refer to "trusted requests" from sites, or something else?)
>
> full-screen-api.transition-duration.enter = 0 0 (zeros separated by a
> space)
> full-screen-api.unprefix.enabled = true
Yes.
>
> TBB 9.0 is the first version I remember that loading anything caused TBB
> to go full screen - links, images, videos [non-flash, but played using
> TBB HTML5 player]. Though apparently some things caused problems years
> ago - see old bug.
>
> Found a several year old trac.torproject bug where some things caused
> window resizing.
> https://trac.torproject.org/projects/tor/ticket/9881
>
> > So what is your proposed patch for this bug then just doing a
> > |browser.link.open_newwindow.restriction = 0|?
>
> > Yes.
> >
> > Plus |full-screen-api.enabled = false| to fix #12609
> > <https://trac.torproject.org/projects/tor/ticket/12609>[note:
> > #12609 is closed]
>
> Is that pref's default value now back to true?
It never changed. That comment is a suggestion, it was never
implemented (as far as I know).
>
> My security level is Safer and java script in NS is disabled.
> But even to load text on some sites, at least the first party scripts
> must be allowed.
>
> Maybe js being enabled plus changes in Firefox allow scripts for some
> content to force the (real) detected full screen size, when js is enabled?
Fullscreen is only available if it is initiated by a user clicking on something.
https://searchfox.org/mozilla-esr68/source/dom/base/Element.cpp#3310 says:
// Only grant fullscreen requests if this is called from inside a trusted
// event handler (i.e. inside an event handler for a user initiated event).
// This stops the fullscreen from being abused similar to the popups of old,
// and it also makes it harder for bad guys' script to go fullscreen and
// spoof the browser chrome/window and phish logins etc.
// Note that requests for fullscreen inside a web app's origin are exempt
// from this restriction.
This also prevents leaking screen dimensions on a webpage unless you
explicitly click on an element that invokes full screen.
Yes, this still leaks real screen dimensions, as Mike discussed in
https://trac.torproject.org/projects/tor/ticket/12609
Disabling fullscreen is not a good solution. We have another ticket,
where the user is prompted before fullscreen is allowed, for that:
https://trac.torproject.org/projects/tor/ticket/12979
>
> But, I've not seen this problem (since TBB screen size was spoofed)
> until upgrading to TBB 9.0.
>
> For several reasons, like accidentally hitting the maximize window
> button vs. close browser button, seems like there should be a pref ? or
> setting that disables the maximize window icon. That won't fix the
> issue of some content making TBB go full screen.
The maximize button is not the same as requesting fullscreen, in
general. With letterboxing, maximizing the browser does not (should
not) leak real screen dimensions.
More information about the tor-talk
mailing list