Review and audit Firefox changes since Firefox 24

As the first step in the the switch to Firefox 31 in October, we'll need to review all of the Firefox for Developers pages, the undocumented bugs, and scan the source code for the appearance of new networking system calls.

added MikePerry201408 TorBrowserTeam201408 component::applications/tor browser ff31-esr owner::tbb-team priority::high resolution::fixed status::closed tbb-firefox-patch tbb-rebase type::task labels

Trac:
Cc: N/A to intrigeri

Trac:
Cc: intrigeri to intrigeri, arthuredelstein@gmail.com

Trac:
Keywords: N/A deleted, tbb-firefox-patch added

Trac:
Component: Firefox Patch Issues to Tor Browser
Owner: mikeperry to tbb-team

Trac:
Keywords: N/A deleted, TorBrowserTeam201408, MikePerry201408 added

Ok, here are my notes from the review of the developer docs and the undocumented bugs, by Firefox version:

• FF25:
  • Fingerprintable:
    • https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries#-moz-os-version
      • We probably should kill all of the Mozilla media query extensions. They all suck.
    • -moz-osx-font-smoothing: https://bugzilla.mozilla.org/show_bug.cgi?id=857142
    • HTMLCanvas.toBlob() changes (and other new APIs?)
      • https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D
      • https://developer.mozilla.org/en-US/docs/Web/API/ImageData
  • Maybe fingerprintable:
    • https://developer.mozilla.org/en-US/docs/Web_Audio_API
      • AudioBuffer.copyTo/FromBuffer and related APIs might allow fingerprinting if OS-dependent libraries are used for FFT and other effect generation
    • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math
      • High-precision Math routines might allow OS/version fingeprinting
    • WebGL1 extensions become features: https://bugzilla.mozilla.org/show_bug.cgi?id=890379
• FF26:
  • Fingerprintable:
    • https://developer.mozilla.org/en-US/docs/Web/API/Screen.orientation
• FF27:
  • Maybe fingerprintable:
    • https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input#attr-type
      • Some of these field values may be locale-fingerprintable?
• FF28:
  • Maybe fingerprintable:
    • https://developer.mozilla.org/en-US/docs/Web/CSS/font-variant-ligatures
  • Conflicts:
    • window.screenX/Y reports CSS pixels: https://bugzilla.mozilla.org/show_bug.cgi?id=943668
    • Ensure navigator useragent/platform elements are still spoofed in workers: https://bugzilla.mozilla.org/show_bug.cgi?id=925847
• FF29:
  • Fingerprinting:
    • https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl
      • http://www.ecma-international.org/ecma-402/1.0/
      • String/Number/Date all have locale versions
    • https://developer.mozilla.org/en-US/docs/Web/Guide/API/Gamepad
    • Hint that JS wants to read canvas: https://bugzilla.mozilla.org/show_bug.cgi?id=884226
• FF30:
  • Maybe fingerprintable:
    • Canvas HitRegions?
      • https://bugzilla.mozilla.org/show_bug.cgi?id=966591
  • Proxy safety:
    • Is Gstreamer proxy-safe?
  • Maybe tracking:
    • Can content-created elements persist? Probably not.
      • https://bugzilla.mozilla.org/show_bug.cgi?id=856140
• FF31:
  • Resource timing: https://bugzilla.mozilla.org/show_bug.cgi?id=822480

I have filed #13016 (moved), #13017 (moved), #13018 (moved), #13019 (moved), #13020 (moved), #13021 (moved), #13021 (moved), #13022 (moved), #13023 (moved), #13024 (moved), #13025 (moved), #13026 (moved), #13027 (moved), and updated #10299 (moved) for the above.

They should all be tagged with ff31-esr. Some of them I didn't bother to tag with this month's tag because they seemed like OS fingerprinting vectors, which already are plentiful and we haven't started addressing yet.

Trac:
Status: new to closed
Resolution: N/A to fixed

Oh, and #13028 (moved) for the misc networking review.

closed

moved to tpo/applications/tor-browser#12621 (closed)