Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#18601 closed defect (fixed)

User Timing API in workers might expose high resolution time to content

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr, TorBrowserTeam201605R
Cc: boklm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should ensure that the User Timing API used in workers is disabled there as well.

See: #18597 for the testing.

Child Tickets

Change History (5)

comment:1 Changed 4 years ago by gk

Keywords: TorBrowserTeam201605 added

Dragging into May to have it on our 6.0 radar.

comment:2 Changed 4 years ago by arthuredelstein

I manually confirmed that the User Timing API (performance marks and performance measures) are removed when the dom.enable_user_timing pref is disabled (as was already done in #16336).

Here is what I did:

  1. Enable dom.enable_user_timing:
> new Worker("data:text/javascript,postMessage(Object.getOwnPropertyNames(performance.__proto__).sort().join(', '));").onmessage = msg => console.log(msg.data);

< clearMarks, clearMeasures, constructor, getEntries, getEntriesByName, getEntriesByType, mark, measure, now
  1. Disable dom.enable_user_timing:
    > new Worker("data:text/javascript,postMessage(Object.getOwnPropertyNames(performance.__proto__).sort().join(', '));").onmessage = msg => console.log(msg.data);
    
    < constructor, now
    

We should be able to pretty easily automate such tests in #18597.

I also checked the performance object in a non-Worker context:

  1. Enabling dom.enable_user_timing:
    > Object.getOwnPropertyNames(performance.__proto__).sort().join(", ")
    
    < "clearMarks, clearMeasures, clearResourceTimings, constructor, getEntries, getEntriesByName, getEntriesByType, mark, measure, navigation, now, onresourcetimingbufferfull, setResourceTimingBufferSize, timing, toJSON"
    
  2. Disabling dom.enable_user_timing:
    > Object.getOwnPropertyNames(performance.__proto__).sort().join(", ")
    
    < "constructor, navigation, now, timing, toJSON"
    

So the only leftover things in the main-thread performance object are performance.now() and performance.timing and performance.toJSON() which all look clean to me.

comment:3 Changed 4 years ago by arthuredelstein

Keywords: TorBrowserTeam201605R added; TorBrowserTeam201605 removed
Status: newneeds_review

comment:4 Changed 4 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. I created #19039 for the test in a worker context.

comment:5 Changed 4 years ago by gk

Cc: boklm added
Note: See TracTickets for help on using tickets.