Opened 4 years ago
Closed 4 years ago
#18545 closed task (fixed)
Review Firefox Developer Docs and Undocumented bugs since FF38esr
Reported by: | gk | Owned by: | tbb-team |
---|---|---|---|
Priority: | Very High | Milestone: | |
Component: | Applications/Tor Browser | Version: | |
Severity: | Critical | Keywords: | ff45-esr, TorBrowserTeam201605 |
Cc: | mcs, brade, arthuredelstein | Actual Points: | |
Parent ID: | Points: | ||
Reviewer: | Sponsor: | SponsorU |
Description
We should start with the ESR 45 feature review.
Child Tickets
Change History (25)
comment:1 Changed 4 years ago by
comment:2 Changed 4 years ago by
Cc: | TorBrowserTeam201603 added |
---|
comment:3 Changed 4 years ago by
Keywords: | TorBrowserTeam201603 added |
---|
comment:4 Changed 4 years ago by
Cc: | TorBrowserTeam201603 removed |
---|
comment:5 Changed 4 years ago by
For reference, here are links to the release notes for each Firefox version:
https://www.mozilla.org/en-US/firefox/releases/
And here is a list of all bugs fixed in Firefox after FF38, up to and including FF45.
comment:6 Changed 4 years ago by
And the important developer documentations can be found on https://developer.mozilla.org/en-US/Firefox/Releases.
comment:7 Changed 4 years ago by
Sponsor: | → None |
---|
Mozilla uses a different query for
"Complete list of changes for this release":
https://bugzilla.mozilla.org/buglist.cgi?j_top=OR&f1=target_milestone&o3=equals&v3=Firefox%2045&o1=equals&resolution=FIXED&o2=anyexact&query_format=advanced&f3=target_milestone&f2=cf_status_firefox45&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&v1=mozilla45&v2=fixed%2Cverified&limit=0
comment:8 follow-up: 9 Changed 4 years ago by
For Firefox 41 I have:
1) SVG icon are now supported as site icons (https://bugzilla.mozilla.org/show_bug.cgi?id=366324) -- does that work with our SVG disabling patch properly?
2) link rel=preconnect
supports a crossorigin
attribute now (#16998 for the whole feature)
3) canvas got a captureStream method; we should make sure that our canvas blocker
takes care of that one as well https://bugzilla.mozilla.org/show_bug.cgi?id=1032848 (#15640)
4) failIfMajorPerformanceCaveat might aid in fingerprinting (https://bugzilla.mozilla.org/show_bug.cgi?id=1164970)
5) user timing API in Web workers might expose (new) high resolution timer to content
https://bugzilla.mozilla.org/show_bug.cgi?id=1155761
comment:9 Changed 4 years ago by
Replying to gk:
For Firefox 41 I have:
1) SVG icon are no supported as site icons (https://bugzilla.mozilla.org/show_bug.cgi?id=366324) -- does that work with out SVG disabling patch properly?
2)
link rel=preconnect
supports acrossorigin
attribute now (#16998 for the whole feature)
3) canvas got a captureStream method; we should make sure that our canvas blocker
takes care of that one as well https://bugzilla.mozilla.org/show_bug.cgi?id=1032848
Seems to be #15640 where this particular concern should be handled.
4) failIfMajorPerformanceCaveat might aid in fingerprinting (https://bugzilla.mozilla.org/show_bug.cgi?id=1164970)
5) user timing API in Web workers might expose (new) high resolution timer to content
https://bugzilla.mozilla.org/show_bug.cgi?id=1155761
comment:10 Changed 4 years ago by
For Firefox 42 I only have:
"The WEBGL_debug_renderer_info extension has been turned on by default" which we can get off of our radar right now as it is not enabled on the release channels yet (#18560).
comment:11 Changed 4 years ago by
Oh, Private Browsing Mode Tracking Protection is dealt with in #17898.
comment:12 Changed 4 years ago by
Sponsor: | None → SponsorU |
---|
comment:13 Changed 4 years ago by
For Firefox 43 I only have the PerformanceObserver interface being added which reminded me to file a ticket for enhancing our tests taking care of it (#18597).
comment:14 Changed 4 years ago by
comment:17 Changed 4 years ago by
comment:18 Changed 4 years ago by
While Kathy and I were working on #18599, we looked at the ImageBitmap features that were added starting with Firefox 42. Probably gk already looked at these; we do not see a way to use ImageBitmap to extract image data from a canvas or other potentially fingerprintable source.
comment:19 Changed 4 years ago by
Keywords: | TorBrowserTeam201604 added; TorBrowserTeam201603 removed |
---|
comment:20 follow-up: 21 Changed 4 years ago by
Kathy and I reviewed all of the release notes and developer docs for Firefox 39-45. We have not yet looked at the complete bug lists (comment:17). Here are some things that might be worth another look (some of these may have been looked at in more detail by gk already):
CacheStorage. It seems that this can be used by Web Workers and regular JS code (not just by Service Workers).
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage
Server logging. This is kind of a strange feature: server applications can return an X- HTTP header to cause items to be logged to the developer console. Maybe it is only done when the console is open and the user is monitoring network requests (I am not sure). Kathy and I do not like the idea that this is enabled, but it may be harmless.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server
window.screen.orientation. This is possibly a fingerprinting vector unless it always returns "landscape-primary" on desktop Firefox (it may still be an issue for Orfox). Or did we decide that applications can derive this kind of info from the window size/aspect ratio anyway?
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation
Navigator.onLine. This can be used to monitor the connected state of a user's computer. We can disable it by setting network.manage-offline-status = false.
https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine
Enable H.264 if system decoder is available (Linux). Kathy and I do not know enough about the world of video decoders to know if this could be a significant fingerprinting vector.
https://bugzilla.mozilla.org/show_bug.cgi?id=1213499
comment:21 follow-up: 23 Changed 4 years ago by
Replying to brade:
Kathy and I reviewed all of the release notes and developer docs for Firefox 39-45. We have not yet looked at the complete bug lists (comment:17).
That's fine. I am halfway through and think having just one doing that is okay.
Here are some things that might be worth another look (some of these may have been looked at in more detail by gk already):
Thanks for looking at it!
CacheStorage. It seems that this can be used by Web Workers and regular JS code (not just by Service Workers).
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage
Do you have a bug indicating that? CacheStorage is part of the Service Workers spec and that whole MDN page indicates that, too.
Server logging. This is kind of a strange feature: server applications can return an X- HTTP header to cause items to be logged to the developer console. Maybe it is only done when the console is open and the user is monitoring network requests (I am not sure). Kathy and I do not like the idea that this is enabled, but it may be harmless.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server
Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So what if we put that feature behind a pref? Disabling it by default in Tor Browser?
window.screen.orientation. This is possibly a fingerprinting vector unless it always returns "landscape-primary" on desktop Firefox (it may still be an issue for Orfox). Or did we decide that applications can derive this kind of info from the window size/aspect ratio anyway?
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation
#13025 did not solve this?
Navigator.onLine. This can be used to monitor the connected state of a user's computer. We can disable it by setting network.manage-offline-status = false.
https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine
I definitely came across this one and was thinking about it but I am not sure anymore why I did not put it up in my review notes. I think flipping that pref back is a good option, #18945
Enable H.264 if system decoder is available (Linux). Kathy and I do not know enough about the world of video decoders to know if this could be a significant fingerprinting vector.
https://bugzilla.mozilla.org/show_bug.cgi?id=1213499
We could investigate which Linux systems would be affected by this: #18946.
comment:22 Changed 4 years ago by
Keywords: | TorBrowserTeam201605 added; TorBrowserTeam201604 removed |
---|
Moving tickets
comment:23 follow-up: 24 Changed 4 years ago by
Replying to gk:
Replying to brade:
Kathy and I reviewed all of the release notes and developer docs for Firefox 39-45. We have not yet looked at the complete bug lists (comment:17).
That's fine. I am halfway through and think having just one doing that is okay.
Here are some things that might be worth another look (some of these may have been looked at in more detail by gk already):
Thanks for looking at it!
CacheStorage. It seems that this can be used by Web Workers and regular JS code (not just by Service Workers).
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage
Do you have a bug indicating that? CacheStorage is part of the Service Workers spec and that whole MDN page indicates that, too.
The API page includes "It provides a master directory of all the named caches that a ServiceWorker, other type of worker or window scope can access (you don't have to use it with service workers, even though that is the spec that defines it) and maintains a mapping of string names to corresponding Cache objects." Also, some of the top-level objects are present in regular DOM windows. See: https://lists.torproject.org/pipermail/tbb-dev/2016-May/000372.html
Server logging. This is kind of a strange feature: server applications can return an X- HTTP header to cause items to be logged to the developer console. Maybe it is only done when the console is open and the user is monitoring network requests (I am not sure). Kathy and I do not like the idea that this is enabled, but it may be harmless.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server
Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So what if we put that feature behind a pref? Disabling it by default in Tor Browser?
Kathy and I think adding a pref is a good idea, although we leave the decision to you (we cannot prove that this will cause any security or privacy issues).
window.screen.orientation. This is possibly a fingerprinting vector unless it always returns "landscape-primary" on desktop Firefox (it may still be an issue for Orfox). Or did we decide that applications can derive this kind of info from the window size/aspect ratio anyway?
https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation
#13025 did not solve this?
It looks like the new code does not go through the function that was patched by the #13025 fix. I opened #18958 for this issue.
comment:24 Changed 4 years ago by
Replying to mcs:
Replying to gk:
Replying to brade:
Kathy and I reviewed all of the release notes and developer docs for Firefox 39-45. We have not yet looked at the complete bug lists (comment:17).
That's fine. I am halfway through and think having just one doing that is okay.
Here are some things that might be worth another look (some of these may have been looked at in more detail by gk already):
Thanks for looking at it!
CacheStorage. It seems that this can be used by Web Workers and regular JS code (not just by Service Workers).
https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage
Do you have a bug indicating that? CacheStorage is part of the Service Workers spec and that whole MDN page indicates that, too.
The API page includes "It provides a master directory of all the named caches that a ServiceWorker, other type of worker or window scope can access (you don't have to use it with service workers, even though that is the spec that defines it) and maintains a mapping of string names to corresponding Cache objects." Also, some of the top-level objects are present in regular DOM windows. See: https://lists.torproject.org/pipermail/tbb-dev/2016-May/000372.html
Thanks. Filed as #18995.
Server logging. This is kind of a strange feature: server applications can return an X- HTTP header to cause items to be logged to the developer console. Maybe it is only done when the console is open and the user is monitoring network requests (I am not sure). Kathy and I do not like the idea that this is enabled, but it may be harmless.
https://developer.mozilla.org/en-US/docs/Tools/Web_Console/Console_messages#Server
Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So what if we put that feature behind a pref? Disabling it by default in Tor Browser?
Kathy and I think adding a pref is a good idea, although we leave the decision to you (we cannot prove that this will cause any security or privacy issues).
Filed the investigation as #18996.
comment:25 Changed 4 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Okay, this is finally done. One additional issue got found (#19047) and now we are good here. Closing.
I already started back then with Firefox 39 and 40 (comment:4:ticket:16444) but then got distracted. But, hey, two less to do for a first pass is an improvement still. :)