Opened 5 years ago

Closed 4 years ago

#13024 closed defect (fixed)

Disable resource timing API?

Reported by: mikeperry Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-pref, ff38-esr, tbb-fingerprinting-time-highres, tbb-testcase, boklm201410R
Cc: boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We disable the navigation timing API (by making it report 0s by setting dom.enable_performance to false). We should probably also disable the resource timing API?

https://bugzilla.mozilla.org/show_bug.cgi?id=822480

Child Tickets

Change History (11)

comment:1 Changed 5 years ago by gacar

This API is the ideal attack surface for cache-timing attacks similar to 1 and 2.

Although, the timing information is restricted to same-origin scripts by default, websites can relax this by sending a `Timing-Allow-Origin` response header.

So, it seems wise to disable the relevant pref, dom.enable_resource_timing.

comment:2 Changed 5 years ago by mikeperry

Keywords: tbb-pref added

comment:3 Changed 5 years ago by gk

Keywords: tbb-testcase added
Owner: changed from tbb-team to gk
Status: newassigned

This is disabled by default. But it seems wise to have a test that makes either sure this is the case or maybe better that shows that no timing information is leaked.

comment:4 Changed 5 years ago by boklm

Cc: boklm added

comment:5 Changed 5 years ago by gk

Testing the pref is disabled and getting this to work both in ESR 24 and 31 is done. I am currently writing a real API test to prevent issues like #13186 as defense-in-depth.

comment:6 Changed 5 years ago by mikeperry

Keywords: ff38-esr added; ff31-esr TorBrowserTeam201409 removed

comment:7 Changed 5 years ago by gk

Keywords: boklm201410R added
Status: assignedneeds_review

Okay, the tests are in my bug_13024. I have tested both tests with Tor Browser based on ESR 24 and 31 and verified that it fails with resource timing enabled.

Leaving the ticket open for ESR 38, though, as we need to disable the pref with a patch then.

Last edited 5 years ago by gk (previous) (diff)

comment:8 Changed 5 years ago by boklm

The branch bug_13024 on tor-browser-bundle-testsuite has been merged.

comment:9 Changed 5 years ago by gk

Status: needs_reviewnew

comment:10 Changed 5 years ago by mikeperry

Keywords: tbb-fingerprinting-time-highres added; tbb-fingerprinting removed

comment:11 Changed 4 years ago by mikeperry

Resolution: fixed
Status: newclosed

I disabled this API via the pref for 5.0a3.

Note: See TracTickets for help on using tickets.