Opened 4 years ago

Closed 4 years ago

#18958 closed defect (fixed)

screen.orientation should lie

Reported by: mcs Owned by: arthuredelstein
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr, TorBrowserTeam201605R
Cc: brade, gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

For Firefox 43, Mozilla added a new orientation API that includes the unprefixed screen.orientation property and possibly support for onchange events. See:

https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation
https://w3c.github.io/screen-orientation/

Although the patch for #13025 was upstreamed, the implementation of the new API did not carry forward the concept of respecting the privacy.resistFingerprinting pref.

Child Tickets

Change History (8)

comment:1 Changed 4 years ago by mcs

Actually, maybe the new screen.orientation API landed before the #13025 patch was upstreamed. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1131470

comment:2 Changed 4 years ago by gk

Cc: gk added

comment:3 Changed 4 years ago by arthuredelstein

Owner: changed from tbb-team to arthuredelstein
Status: newaccepted

comment:4 Changed 4 years ago by arthuredelstein

Keywords: TorBrowserTeam201605R added; TorBrowserTeam201605 removed
Status: acceptedneeds_review

Here are two commits: the patch for this ticket, and a fixup to our regression tests. I didn't see a good way to test for "orientationchange" events, but by following the code flow, I believe the orientation data will be correctly spoofed.

https://github.com/arthuredelstein/tor-browser/commits/18958+1
Hash 9ef72d49e45618c648f2bf5f55e2b3de68cb30ee

comment:5 Changed 4 years ago by mcs

r=mcs, r=brade
These changes look good. Should we also skip dispatching of the orientation change events when ShouldResistFingerprinting() returns true? Generating the events will allow a website to detect that my device can change orientation.

comment:6 in reply to:  5 ; Changed 4 years ago by arthuredelstein

Replying to mcs:

r=mcs, r=brade
These changes look good. Should we also skip dispatching of the orientation change events when ShouldResistFingerprinting() returns true? Generating the events will allow a website to detect that my device can change orientation.

Thanks for the review. Here's a new version that blocks "orientationchange" and "mozorientationchange" events from being dispatched. I also blocked the use of 'screen.mozLockOrientation' and 'screen.mozUnlockOrientation' for a similar reason.

https://github.com/arthuredelstein/tor-browser/commits/18958+2
Hash 4f86b15a2a7d3ea4e370cf48fa247386cfb0157a

Last edited 4 years ago by arthuredelstein (previous) (diff)

comment:7 in reply to:  6 Changed 4 years ago by mcs

Replying to arthuredelstein:

Thanks for the review. Here's a new version that blocks "orientationchange" and "mozorientationchange" events from being dispatched. I also blocked the use of 'screen.mozLockOrientation' and 'screen.mozUnlockOrientation' for a similar reason.

https://github.com/arthuredelstein/tor-browser/commits/18958+2
Hash 4f86b15a2a7d3ea4e370cf48fa247386cfb0157a

r=brade, r=mcs
This looks good to us.

comment:8 Changed 4 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks. Applied to tor-browser-45.1.0esr-6.0-1 (commit a086a5d0070821b1c4dfd2492bdc993c91353a2b and ec74b173f8a00e59aa42e0cf32e65ec2266cb477).

Note: See TracTickets for help on using tickets.