Disable or audit Reader View in ESR 45
Firefox ships with a new feature, Reader View (https://support.mozilla.org/en-US/kb/firefox-reader-view-clutter-free-web-pages). We should audit it or disable it for the time being if we don't get to that.
Activity
See bug_18950 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_18950) in my tor-browser repo for a patch.
I did not disable the whole feature but made sure that the fingerprinting risks that might be associated with it are neutered. This is mainly done by flipping
reader.parse-on-load.enabledtofalse. Having it set totruewould discriminate between users with low memory computers (probably only some mobile ones) and those who have Reader View capable ones.This has the side-effect that the reader view icon is vanishing from the URL bar and the View menu making it harder to click on them by accident (at least on the desktop). See: https://mxr.mozilla.org/mozilla-esr45/source/browser/base/content/tab-content.js#331
The other code path that goes to
_readerParse()(https://mxr.mozilla.org/mozilla-esr45/source/toolkit/components/reader/ReaderMode.jsm#351) comes from theabout:readerURL which is called if one already has saved an item in one's reader list. This is okay I think. Content seems not be able to useabout:readerURLs to mess with a user's browsing session, a security error is thrown.Trac:
Status: assigned to needs_review
Keywords: TorBrowserTeam201605 deleted, TorBrowserTeam201605R addedmentioned in issue #21845 (moved)
mentioned in issue #27281 (moved)
mentioned in issue tpo/applications/tor-browser#27281 (closed)
