Opened 2 years ago

Closed 2 years ago

#18950 closed task (fixed)

Disable or audit Reader View in ESR 45

Reported by: gk Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr, TorBrowserTeam201605R, GeorgKoppen201605, tbb-6.0-must
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Firefox ships with a new feature, Reader View (https://support.mozilla.org/en-US/kb/firefox-reader-view-clutter-free-web-pages). We should audit it or disable it for the time being if we don't get to that.

Child Tickets

Change History (6)

comment:1 Changed 2 years ago by gk

Keywords: GeorgKoppen201605 added
Owner: changed from tbb-team to gk
Status: newassigned

comment:2 Changed 2 years ago by gk

Keywords: tbb-6.0-must added

comment:3 Changed 2 years ago by arthuredelstein

Cc: arthuredelstein added

comment:4 Changed 2 years ago by gk

Keywords: TorBrowserTeam201605R added; TorBrowserTeam201605 removed
Status: assignedneeds_review

See bug_18950 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_18950) in my tor-browser repo for a patch.

I did not disable the whole feature but made sure that the fingerprinting risks that might be associated with it are neutered. This is mainly done by flipping reader.parse-on-load.enabled to false. Having it set to true would discriminate between users with low memory computers (probably only some mobile ones) and those who have Reader View capable ones.

This has the side-effect that the reader view icon is vanishing from the URL bar and the View menu making it harder to click on them by accident (at least on the desktop). See: https://mxr.mozilla.org/mozilla-esr45/source/browser/base/content/tab-content.js#331

The other code path that goes to _readerParse() (https://mxr.mozilla.org/mozilla-esr45/source/toolkit/components/reader/ReaderMode.jsm#351) comes from the about:reader URL which is called if one already has saved an item in one's reader list. This is okay I think. Content seems not be able to use about:reader URLs to mess with a user's browsing session, a security error is thrown.

comment:5 Changed 2 years ago by mcs

r=brade, r=mcs
This looks good. It would not hurt for Arthur to take a look as well.

comment:6 Changed 2 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Okay, thanks. Taking this for now, though. I revised the commit message a bit and fixed a typo in it. commit 1344de9d3c90e3eac02dd13433ef8412a450df5a on tor-browser-45.1.0esr-6.0-1 has the fixup.

Note: See TracTickets for help on using tickets.