Opened 2 years ago

Closed 2 years ago

#18545 closed task (fixed)

Review Firefox Developer Docs and Undocumented bugs since FF38esr

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords: ff45-esr, TorBrowserTeam201605
Cc: mcs, brade, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor: SponsorU

Description

We should start with the ESR 45 feature review.

Child Tickets

Change History (25)

comment:1 Changed 2 years ago by gk

I already started back then with Firefox 39 and 40 (comment:4:ticket:16444) but then got distracted. But, hey, two less to do for a first pass is an improvement still. :)

comment:2 Changed 2 years ago by gk

Cc: TorBrowserTeam201603 added

comment:3 Changed 2 years ago by gk

Keywords: TorBrowserTeam201603 added

comment:4 Changed 2 years ago by gk

Cc: TorBrowserTeam201603 removed

comment:6 Changed 2 years ago by gk

And the important developer documentations can be found on https://developer.mozilla.org/en-US/Firefox/Releases.

comment:8 Changed 2 years ago by gk

For Firefox 41 I have:

1) SVG icon are now supported as site icons (https://bugzilla.mozilla.org/show_bug.cgi?id=366324) -- does that work with our SVG disabling patch properly?

2) link rel=preconnect supports a crossorigin attribute now (#16998 for the whole feature)

3) canvas got a captureStream method; we should make sure that our canvas blocker
takes care of that one as well https://bugzilla.mozilla.org/show_bug.cgi?id=1032848 (#15640)

4) failIfMajorPerformanceCaveat might aid in fingerprinting (https://bugzilla.mozilla.org/show_bug.cgi?id=1164970)

5) user timing API in Web workers might expose (new) high resolution timer to content
https://bugzilla.mozilla.org/show_bug.cgi?id=1155761

Last edited 2 years ago by gk (previous) (diff)

comment:9 in reply to:  8 Changed 2 years ago by gk

Replying to gk:

For Firefox 41 I have:

1) SVG icon are no supported as site icons (https://bugzilla.mozilla.org/show_bug.cgi?id=366324) -- does that work with out SVG disabling patch properly?

2) link rel=preconnect supports a crossorigin attribute now (#16998 for the whole feature)

3) canvas got a captureStream method; we should make sure that our canvas blocker
takes care of that one as well https://bugzilla.mozilla.org/show_bug.cgi?id=1032848

Seems to be #15640 where this particular concern should be handled.

4) failIfMajorPerformanceCaveat might aid in fingerprinting (https://bugzilla.mozilla.org/show_bug.cgi?id=1164970)

5) user timing API in Web workers might expose (new) high resolution timer to content
https://bugzilla.mozilla.org/show_bug.cgi?id=1155761

comment:10 Changed 2 years ago by gk

For Firefox 42 I only have:

"The WEBGL_debug_renderer_info extension has been turned on by default" which we can get off of our radar right now as it is not enabled on the release channels yet (#18560).

comment:11 Changed 2 years ago by gk

Oh, Private Browsing Mode Tracking Protection is dealt with in #17898.

comment:12 Changed 2 years ago by gk

Sponsor: NoneSponsorU

comment:13 Changed 2 years ago by gk

For Firefox 43 I only have the PerformanceObserver interface being added which reminded me to file a ticket for enhancing our tests taking care of it (#18597).

comment:14 Changed 2 years ago by gk

For Firefox 44 I have

a) The WebSpeech API (especially the speech recognition feature) which is disabled by pref for now (#18598)

b) OffScreenCanvas API (#18599)

comment:15 Changed 2 years ago by gk

It seems we are good wrt Firefox 45.

comment:16 Changed 2 years ago by gk

I've filed #18601, #18602 and #18603 for the missing items.

comment:17 Changed 2 years ago by gk

I forgot two queries from #16090:

https://bugzilla.mozilla.org/buglist.cgi?bug_status=RESOLVED&product=Core&query_format=advanced&resolution=FIXED&bug_status=VERIFIED&target_milestone=mozilla39&order=priority%2Cbug_severity&limit=0

and

https://bugzilla.mozilla.org/buglist.cgi?resolution=---&query_format=advanced&product=Core&target_milestone=mozilla39

I'll start with them and will go through every Firefox release. Yes, I adapted the first search query a bit as it seemed with the old one we missed the VERIFIED bugs that were fixed nevertheless. That resulted in #18589 which we should have found earlier.

comment:18 Changed 2 years ago by mcs

While Kathy and I were working on #18599, we looked at the ImageBitmap features that were added starting with Firefox 42. Probably gk already looked at these; we do not see a way to use ImageBitmap to extract image data from a canvas or other potentially fingerprintable source.

comment:19 Changed 2 years ago by gk

Keywords: TorBrowserTeam201604 added; TorBrowserTeam201603 removed

comment:20 Changed 2 years ago by brade

Kathy and I reviewed all of the release notes and developer docs for Firefox 39-45. We have not yet looked at the complete bug lists (comment:17). Here are some things that might be worth another look (some of these may have been looked at in more detail by gk already):

CacheStorage. It seems that this can be used by Web Workers and regular JS code (not just by Service Workers).
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage

Server logging. This is kind of a strange feature: server applications can return an X- HTTP header to cause items to be logged to the developer console. Maybe it is only done when the console is open and the user is monitoring network requests (I am not sure). Kathy and I do not like the idea that this is enabled, but it may be harmless.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server

window.screen.orientation. This is possibly a fingerprinting vector unless it always returns "landscape-primary" on desktop Firefox (it may still be an issue for Orfox). Or did we decide that applications can derive this kind of info from the window size/aspect ratio anyway?
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation

Navigator.onLine. This can be used to monitor the connected state of a user's computer. We can disable it by setting network.manage-offline-status = false.
https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine

Enable H.264 if system decoder is available (Linux). Kathy and I do not know enough about the world of video decoders to know if this could be a significant fingerprinting vector.
https://bugzilla.mozilla.org/show_bug.cgi?id=1213499

comment:21 in reply to:  20 ; Changed 2 years ago by gk

Replying to brade:

Kathy and I reviewed all of the release notes and developer docs for Firefox 39-45. We have not yet looked at the complete bug lists (comment:17).

That's fine. I am halfway through and think having just one doing that is okay.

Here are some things that might be worth another look (some of these may have been looked at in more detail by gk already):

Thanks for looking at it!

CacheStorage. It seems that this can be used by Web Workers and regular JS code (not just by Service Workers).
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage

Do you have a bug indicating that? CacheStorage is part of the Service Workers spec and that whole MDN page indicates that, too.

Server logging. This is kind of a strange feature: server applications can return an X- HTTP header to cause items to be logged to the developer console. Maybe it is only done when the console is open and the user is monitoring network requests (I am not sure). Kathy and I do not like the idea that this is enabled, but it may be harmless.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server

Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So what if we put that feature behind a pref? Disabling it by default in Tor Browser?

window.screen.orientation. This is possibly a fingerprinting vector unless it always returns "landscape-primary" on desktop Firefox (it may still be an issue for Orfox). Or did we decide that applications can derive this kind of info from the window size/aspect ratio anyway?
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation

#13025 did not solve this?

Navigator.onLine. This can be used to monitor the connected state of a user's computer. We can disable it by setting network.manage-offline-status = false.
https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine

I definitely came across this one and was thinking about it but I am not sure anymore why I did not put it up in my review notes. I think flipping that pref back is a good option, #18945

Enable H.264 if system decoder is available (Linux). Kathy and I do not know enough about the world of video decoders to know if this could be a significant fingerprinting vector.
https://bugzilla.mozilla.org/show_bug.cgi?id=1213499

We could investigate which Linux systems would be affected by this: #18946.

comment:22 Changed 2 years ago by gk

Keywords: TorBrowserTeam201605 added; TorBrowserTeam201604 removed

Moving tickets

comment:23 in reply to:  21 ; Changed 2 years ago by mcs

Replying to gk:

Replying to brade:

Kathy and I reviewed all of the release notes and developer docs for Firefox 39-45. We have not yet looked at the complete bug lists (comment:17).

That's fine. I am halfway through and think having just one doing that is okay.

Here are some things that might be worth another look (some of these may have been looked at in more detail by gk already):

Thanks for looking at it!

CacheStorage. It seems that this can be used by Web Workers and regular JS code (not just by Service Workers).
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage

Do you have a bug indicating that? CacheStorage is part of the Service Workers spec and that whole MDN page indicates that, too.

The API page includes "It provides a master directory of all the named caches that a ServiceWorker, other type of worker or window scope can access (you don't have to use it with service workers, even though that is the spec that defines it) and maintains a mapping of string names to corresponding Cache objects." Also, some of the top-level objects are present in regular DOM windows. See: https://lists.torproject.org/pipermail/tbb-dev/2016-May/000372.html

Server logging. This is kind of a strange feature: server applications can return an X- HTTP header to cause items to be logged to the developer console. Maybe it is only done when the console is open and the user is monitoring network requests (I am not sure). Kathy and I do not like the idea that this is enabled, but it may be harmless.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server

Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So what if we put that feature behind a pref? Disabling it by default in Tor Browser?

Kathy and I think adding a pref is a good idea, although we leave the decision to you (we cannot prove that this will cause any security or privacy issues).

window.screen.orientation. This is possibly a fingerprinting vector unless it always returns "landscape-primary" on desktop Firefox (it may still be an issue for Orfox). Or did we decide that applications can derive this kind of info from the window size/aspect ratio anyway?
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation

#13025 did not solve this?

It looks like the new code does not go through the function that was patched by the #13025 fix. I opened #18958 for this issue.

comment:24 in reply to:  23 Changed 2 years ago by gk

Replying to mcs:

Replying to gk:

Replying to brade:

Kathy and I reviewed all of the release notes and developer docs for Firefox 39-45. We have not yet looked at the complete bug lists (comment:17).

That's fine. I am halfway through and think having just one doing that is okay.

Here are some things that might be worth another look (some of these may have been looked at in more detail by gk already):

Thanks for looking at it!

CacheStorage. It seems that this can be used by Web Workers and regular JS code (not just by Service Workers).
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage

Do you have a bug indicating that? CacheStorage is part of the Service Workers spec and that whole MDN page indicates that, too.

The API page includes "It provides a master directory of all the named caches that a ServiceWorker, other type of worker or window scope can access (you don't have to use it with service workers, even though that is the spec that defines it) and maintains a mapping of string names to corresponding Cache objects." Also, some of the top-level objects are present in regular DOM windows. See: https://lists.torproject.org/pipermail/tbb-dev/2016-May/000372.html

Thanks. Filed as #18995.

Server logging. This is kind of a strange feature: server applications can return an X- HTTP header to cause items to be logged to the developer console. Maybe it is only done when the console is open and the user is monitoring network requests (I am not sure). Kathy and I do not like the idea that this is enabled, but it may be harmless.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server

Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So what if we put that feature behind a pref? Disabling it by default in Tor Browser?

Kathy and I think adding a pref is a good idea, although we leave the decision to you (we cannot prove that this will cause any security or privacy issues).

Filed the investigation as #18996.

comment:25 Changed 2 years ago by gk

Resolution: fixed
Status: newclosed

Okay, this is finally done. One additional issue got found (#19047) and now we are good here. Closing.

Note: See TracTickets for help on using tickets.