HTML5 fullscreen API makes TB fingerprintable, disable it!
Shouldn't TB set the full-screen-api.enabled pref to false so websites can't fingerprint the screen size?
(Firefox's "exit/allow fullscreen" dialog appears after the window has become full screen.)
Activity
Proof of concept screen size fingerprinter: https://rawgit.com/anonymous/11543371dbc4052c1b1a/raw/e253cd0bafb2844bcd3ec971528fc67c72c66d36/jsbin.cicediwe.html
Trac:
Summary: HTML5 fullscreen API makes TB fingerprintable? Disable it? to HTML5 fullscreen API makes TB screen size fingerprintable, disable it!
Priority: major to criticalMore bad news: It's not only the screen size that is fingerprintable here, but also very probably the OS. Because what the attacker gets is the innerHeight/innerWidth - of a full screen window!
Trac:
Summary: HTML5 fullscreen API makes TB screen size fingerprintable, disable it! to HTML5 fullscreen API makes TB fingerprintable, disable it!It's not only way to get fingerprints today. Look at #9881 (moved) Many desktops in the world shares 640x480 (that reveals by this bug for example), but not so much browsers shares limitations for avail window size (that reveals by #9881 (moved)).
Proof of concept screen size fingerprinter Can it fingerprint automatically without click on page visit?
Trac:
Summary: HTML5 fullscreen API makes TB fingerprintable, disable it! to HTML5 fullscreen API makes TB screen size fingerprintable, disable it!Replying to cypherpunks:
Can it fingerprint automatically without click on page visit?
User interaction (clicks, hover, keyboard, etc.) is supposed to be necessary. Not a very high bar, though.
Replying to cypherpunks:
Because what the attacker gets is the innerHeight/innerWidth - of a full screen window! Why do you think it's inner size? My test reports real_desktop_width x (real_desktop_height - 1px).
Me too (Linux)... I assumed that's some weird GUI toolkit leftover pixel. Maybe I'm wrong and it's the same on every platform.
Replying to cypherpunks:
It's not only way to get fingerprints today. Look at #9881 (moved)
TB should really really set
dom.disable_window_move_resize = trueandbrowser.link.open_newwindow.restriction = 0. The current situation is horrific.The other two prefs fix #9881 (moved) (which is closely related) and are listed in ticket:9881#comment:22 for discussion. Should I split them up? But then you'd have to merge the lines manually anyway.
<html> <head> <title>HTML5 fullscreen API fingerprinter</title> <script> function fingerprint() { document.getElementById('x').mozRequestFullScreen(); setTimeout(function(){ window.alert(screen.width + "x" + screen.height); }, 1000); } </script> </head> <body onclick="fingerprint()"> <h1 id="x">click anywhere and wait a second</h1> <p>1 <p>2 <p>3 </body> </html>
Personally, I would rather fix the root Firefox bug here to actually prompt before making the widget full screen. Disabling full screen for everyone is bad UX. In terms of the number of people who will complain about either property, I think more will complain if we fully remove their ability to watch full screen videos.
Just about the only thing that would convince me otherwise is if this fingerprinting could be done invisibly, without the user becoming aware of it via a full screen video suddenly playing.
Replying to mikeperry:
Just about the only thing that would convince me otherwise is if this fingerprinting could be done invisibly, without the user becoming aware of it via a full screen video suddenly playing.
It can. The element does not have to be a video (or even be visible), and we can exit fullscreen mode right away (without user interaction) after the screen dimensions have been extracted.
Here's a v2 proof of concept that leaves fullscreen after 500 ms. Obviously this flicker could be reduced much further (100 ms worked fine, 10 ms didn't), but I'm not familiar enough with JavaScript and FS API race conditions to try.
It's true that the proper fix would be to open the permission dialog before entering fullscreen mode, but I hope we can use this pref as a temporary bugfix until then.
Trac:
Username: faetherIt's possible to set a video to fullscreen automatically (with javascript). I'd say to either prompt user when they try to enable full-screen that doing so reduces their anonymity slightly, or go with mikeperry's proposed solution below.
Per mikeperry's mention in #tor-dev, limiting full-screen mode to the size of the browser window still allows someone to make an educated guess at resolution. Which is still a big improvement over the default.
-
Uh oh, there's onresize events firing all over the place when you go to fullscreen. See below in the log, that number 1000x689? That's my actual browser window size, without the X11 border, +5px in height. Same strange 5px increase for the screen height, 1055.
[17:13:11.255] "1409245991255 pre-fs 1000x600" [17:13:11.308] "1409245991287 onresize 1000x689" [17:13:11.360] "1409245991360 onresize 1000x689" [17:13:11.370] "1409245991370 onresize 1680x1055" [17:13:12.256] "1409245992256 1000ms 1680x1055" [17:13:12.257] Exited full-screen because full-screen element was removed from document. [17:13:12.273] "1409245992272 onresize 1680x966" [17:13:12.317] "1409245992317 onresize 1000x600" [17:13:13.256] "1409245993256 2000ms 1000x600"generated using fingerprinter v3: https://rawgit.com/anonymous/f63b0650637fef3dcdf1/raw/a4199acc17e23ca301a4b71bbe916143b9b5f89b/fs-v3.html (try running it multiple times if it doesn't get your browser window size)
Trac:
Username: faether -
FWIW, I think that #12977 (moved) is the right way to deal with this issue.
Trac:
Keywords: tbb-fingerprinting deleted, tbb-fingerprinting-resolution added -
Trac:
Username: tokotoko
Cc: gk, lunar to gk, lunar, fdsfgs@krutt.org mentioned in issue #32713 (moved)
mentioned in issue #33479 (moved)
mentioned in issue tpo/applications/tor-browser#33479
