screen.orientation should lie

For Firefox 43, Mozilla added a new orientation API that includes the unprefixed screen.orientation property and possibly support for onchange events. See: https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation https://w3c.github.io/screen-orientation/ Although the patch for #13025 (moved) was upstreamed, the implementation of the new API did not carry forward the concept of respecting the privacy.resistFingerprinting pref.

added TorBrowserTeam201605R component::applications/tor browser ff45-esr owner::arthuredelstein priority::medium resolution::fixed severity::normal status::closed type::defect labels

Actually, maybe the new screen.orientation API landed before the #13025 (moved) patch was upstreamed. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1131470

Trac:
Cc: brade to brade, gk

Trac:
Status: new to accepted
Owner: tbb-team to arthuredelstein

Here are two commits: the patch for this ticket, and a fixup to our regression tests. I didn't see a good way to test for "orientationchange" events, but by following the code flow, I believe the orientation data will be correctly spoofed.

https://github.com/arthuredelstein/tor-browser/commits/18958+1 Hash 9ef72d49e45618c648f2bf5f55e2b3de68cb30ee

Trac:
Keywords: TorBrowserTeam201605 deleted, TorBrowserTeam201605R added
Status: accepted to needs_review

r=mcs, r=brade These changes look good. Should we also skip dispatching of the orientation change events when ShouldResistFingerprinting() returns true? Generating the events will allow a website to detect that my device can change orientation.

Replying to mcs:

r=mcs, r=brade These changes look good. Should we also skip dispatching of the orientation change events when ShouldResistFingerprinting() returns true? Generating the events will allow a website to detect that my device can change orientation.

Thanks for the review. Here's a new version that blocks "orientationchange" and "mozorientationchange" events from being dispatched. I also blocked the use of 'screen.mozLockOrientation' and 'screen.mozUnlockOrientation' for a similar reason.

​https://github.com/arthuredelstein/tor-browser/commits/18958+2 Hash 4f86b15a2a7d3ea4e370cf48fa247386cfb0157a

Replying to arthuredelstein:

Thanks for the review. Here's a new version that blocks "orientationchange" and "mozorientationchange" events from being dispatched. I also blocked the use of 'screen.mozLockOrientation' and 'screen.mozUnlockOrientation' for a similar reason.

​https://github.com/arthuredelstein/tor-browser/commits/18958+2 Hash 4f86b15a2a7d3ea4e370cf48fa247386cfb0157a

r=brade, r=mcs This looks good to us.

Thanks. Applied to tor-browser-45.1.0esr-6.0-1 (commit a086a5d0070821b1c4dfd2492bdc993c91353a2b and ec74b173f8a00e59aa42e0cf32e65ec2266cb477).

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

closed

moved to tpo/applications/tor-browser#18958 (closed)