Look into Yan's browser fingerprinting tricks
Yan has a brilliant slide deck on browser fingerprinting, here: https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf
We need to figure out which of these vulnerabilities Tor Browser has, and fix them. Do we need to isolate HSTS and HPKP caches to URL bar domain? Apparently #1517 (moved) (reduce JS time precision) helps protect Tor Browser from Yan's implementations, but there may be ways around that limitation.
There is also a demo here: https://zyan.scripts.mit.edu/sniffly/