Review Firefox Developer Docs and Undocumented bugs since FF45esr
This ticket is for the review of new features and (undocumented) bugs between Firefox 46 and 52 inclusive.
Activity
Here are some useful search quereies:
- Firefox bugs
- Core bugs per target milestone
While experimenting with an ESR52 Tor Browser, Kathy and I noticed a fetch of http://detectportal.firefox.com/success.txt at startup. Captive portal detection is enabled in Firefox 52; we will need to decide whether we should disable it in Tor Browser. See https://bugzilla.mozilla.org/show_bug.cgi?id=989193#c54
We will want to set browser.selfsupport.enabled to false to disable Normandy aka Shield aka Self Support aka Self Repair. To be safe we can also redirect browser.selfsupport.url
We probably want to disable stuff under browser.uitour.
I'm not sure how to get to it in 52, but in 53, the WebIDE auto-installs some extensions it downloads from Mozilla. Probably best to disable it via devtools.webide.enabled
The Telemetry experiments features should be disabled (experiments.*)
There is something called "Extensions Discovery" governed by extensions.getAddons.showPane
Probably want to disable security.ssl.errorReporting
There's something called 'Social' under social.* including the scary one social.remote-install.enabled
-
Replying to tom:
We will want to set browser.selfsupport.enabled to false to disable Normandy aka Shield aka Self Support aka Self Repair. To be safe we can also redirect browser.selfsupport.url
This is already done; see #18738 (moved).
We probably want to disable stuff under browser.uitour.
We already have
browser.uitour.enabled = falsebut to be even safer maybe we should modify the browser.uitour prefs that contain URLs?I'm not sure how to get to it in 52, but in 53, the WebIDE auto-installs some extensions it downloads from Mozilla. Probably best to disable it via devtools.webide.enabled
We already have the following in browser/app/profile/000-tor-browser.js: pref("devtools.webide.autoinstallADBHelper", false); pref("devtools.webide.autoinstallFxdtAdapters", false); pref("devtools.webide.enabled", false); pref("devtools.appmanager.enabled", false);
The Telemetry experiments features should be disabled (experiments.*)
Agreed.
There is something called "Extensions Discovery" governed by extensions.getAddons.showPane
Setting that pref to false removes the "Get Add-ons" panel from about:addons. I don't think we have to remove it, but doing so would discourage use of add-ons in Tor Browser (and we don't have any control over what add-ons Mozilla might show on that panel).
Probably want to disable security.ssl.errorReporting
Agreed.
There's something called 'Social' under social.* including the scary one social.remote-install.enabled
It looks like we have #13612 (moved) for this. We should look at it for ESR52.
-
Kathy and I reviewed the Firefox 46 and 47 changes (by looking at the "Firefox ## for Developers" web pages, the target_milestone=mozilla## bugs, and the target_milestone=Firefox%20## bugs). Before we move on to 48-52, we wanted to note here what we found so far:
a)
DateTimeFormat.formatToParts. We should verify that timezone and/or locale not leaked to web content by new API. https://bugzilla.mozilla.org/show_bug.cgi?id=1289340 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat/formatToPartsb) Some changes were made to device orientation events. We should ensure that orientation is not leaked to web content. https://bugzilla.mozilla.org/show_bug.cgi?id=1205649
c) The Permissions API is now enabled. Kathy and I think we should turn it off to prevent fingerprinting based on choices that users make. Unfortunately, the
dom.permissions.enabledpref was removed. https://lists.mozilla.org/pipermail/dev-platform/2015-August/011466.html https://bugzilla.mozilla.org/show_bug.cgi?id=1233702d) TouchEvents are now enabled on Windows and Linux. I already poked #10286 (moved).
e) window.showModalDialog() is not available when e10s is enabled. Should we always make it unavailable (even when e10s is disabled)? Or maybe we don't care because we will probably enable e10s for all Tor Browser users or none. https://bugzilla.mozilla.org/show_bug.cgi?id=1234700
f) Looking through the bug lists reminded us about Web Animations possibly providing a high resolution timing source. But we do have #18273 (moved) for that issue.
g) Similarly, we were reminded about WebAudio. See #13017 (moved).
h) We will need to set
network.dns.blockDotOnion = false.i) Should we disable about:profiles? Some of the functionality will confused our users, e.g., "Create New Profile" which may not work correctly on Linux and Windows and "Restart with Add-ons Disabled." https://bugzilla.mozilla.org/show_bug.cgi?id=1235402
j) A DNS lookup feature was added to about:networking DNS. We should verify that it respects the browser proxy settings. https://bugzilla.mozilla.org/show_bug.cgi?id=907050
k) Is the Fetch API safe? It includes fetch events with mode=navigate, and Kathy and I are not sure if there are any linkability concerns with that API. https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
-
Here are some things Kathy and I found while reviewing Firefox 48 changes (we will need to file separate tickets for some of these, but as a first pass I am posting our notes in this ticket):
a) We should probably make sure screen sharing is disabled. Maybe this is covered by our removal of WebRTC, but we could also set these pref values to be sure: media.getusermedia.screensharing.enabled = false media.getusermedia.screensharing.allowed_domains = ""
b) Some safe browsing prefs have been renamed and other functionality has been added. We should disable all of it via the following pref values: browser.safebrowsing.downloads.enabled = false browser.safebrowsing.downloads.remote.enabled = false browser.safebrowsing.malware.enabled = false browser.safebrowsing.phishing.enabled = false browser.safebrowsing.blockedURIs.enabled = false
c) We should return a constant value for window.navigator.hardwareConcurrency. https://developer.mozilla.org/en-US/docs/Web/API/NavigatorConcurrentHardware/hardwareConcurrency
d) From a fingerprinting perspective, the following bug is a little scary (consult Firefox prefs from CSS) but use seems to be limited to internal style sheets: https://bugzilla.mozilla.org/show_bug.cgi?id=1259889
e) Mozilla sites can check whether an add-on is installed and retrieve some metadata. Do we want to disable this? https://bugzilla.mozilla.org/show_bug.cgi?id=1245571
f) APIs to allow access to some internal Firefox services from remote New Tab pages (hosted on mozilla.org servers) have been added. We should figure out how to disable them. PreviewProvider Messaging API https://bugzilla.mozilla.org/show_bug.cgi?id=1239119 NewTabPrefsProvider Messaging API https://bugzilla.mozilla.org/show_bug.cgi?id=1239118 PlacesProvider Messaging API https://bugzilla.mozilla.org/show_bug.cgi?id=1239116
g) We may want to skip importing a certificate on Windows to support Microsoft Family Safety by setting: security.family_safety.mode = 0 https://bugzilla.mozilla.org/show_bug.cgi?id=1239166
h) We may want to document for our Linux users that add-ons installed in the following directory do not have to be signed by Mozilla: /usr/{lib,share}/mozilla/extensions
i) If we enable e10s/multiprocess mode, we should document for our users that it will be disabled if accessibility tools are used. https://bugzilla.mozilla.org/show_bug.cgi?id=1260190
-
And here are our notes for Firefox 49:
a) Graphite font rendering has been re-enabled. We need to decide if we want to disable it again or not.
b) Mozilla switched to compiling with Intel SSE2. We could do the same, although it would mean that Tor Browser would not run on some really old CPUs. Mozilla modified their Windows installer to notify and refuse to install if the CPU does not support SSE2. https://bugzilla.mozilla.org/show_bug.cgi?id=1271759
c) Kathy and I cannot think of any fingerprinting or linkability risks associated with the Web Speech API, but it is a big new thing: https://developer.mozilla.org/en-US/docs/Web/API/Web_Speech_API https://bugzilla.mozilla.org/show_bug.cgi?id=1268633
d) We should verify that the "Network ID" is not even computed when Telemetry is disabled. At least I would feel better if it was not. https://bugzilla.mozilla.org/show_bug.cgi?id=1240932
e) The Bookmarks Toolbar is automatically shown when the user adds a bookmark to it. This will change the window size, but maybe this is used rarely enough that we do not care? https://bugzilla.mozilla.org/show_bug.cgi?id=1219788
f) The window.isSecureContext API is interesting but may not add any fingerprinting or linkability risks. We should think about whether features that are being made "HTTPS only" should also be available on .onion sites. https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext
g) As part of our release procedures, do we double-check the HPKP expiration? Mozilla seems to have bugs for each release, e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1307530
-
Here are a few items for Firefox 50:
a) We need to determine if the File and Directory Entries API adds any fingerprinting or linkability risk. https://developer.mozilla.org/en-US/docs/Web/API/File_and_Directory_Entries_API
b) When reviewing bugs, Kathy and I noticed that there seem to be a lot of crasher bugs associated with DOM Animation, e.g., UAF bugs. I think this is disabled by default via: dom.animations-api.core.enabled = false or maybe we also need to add the following if we want to turn it off completely? dom.animations-api.element-animate.enabled This might be something for the security slider eventually.
c) As part of our release procedures, do we double-check the HPKP expiration? We do not want to have a repeat of the problem where the pins expired. Mozilla seems to have bugs for each release, e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=1307530
-
Finally, here our our notes for Firefox 51 (we did not look at the Firefox 52 changes yet):
a) We should verify that
TypedArray.toLocaleString()does not leak locale information. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/toLocaleStringb) We should verify that the new
<input>types do not leak locale information, e.g.,<input type="time">,type="date",type="week", etc. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/inputc) WebGL2 is enabled by default which may enable new fingerprinting opportunities: https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API
d) HTTP Opportunistic Security may add some linkability risks, although it seems okay at a glance. http://httpwg.org/http-extensions/opsec.html https://bugzilla.mozilla.org/show_bug.cgi?id=1301117
e) Do we want to disable Web Audio due to fingerprinting risks? Mozilla keeps adding more functionality. Maybe this is already covered by #13017 (moved).
f) There are some new Storage APIs that we should look at, e.g., https://developer.mozilla.org/en-US/docs/Web/API/StorageManager/estimate https://bugzilla.mozilla.org/show_bug.cgi?id=1267941
-
Replying to mcs:
Kathy and I reviewed the Firefox 46 and 47 changes (by looking at the "Firefox ## for Developers" web pages, the target_milestone=mozilla## bugs, and the target_milestone=Firefox%20## bugs). Before we move on to 48-52, we wanted to note here what we found so far:
a)
DateTimeFormat.formatToParts. We should verify that timezone and/or locale not leaked to web content by new API. https://bugzilla.mozilla.org/show_bug.cgi?id=1289340 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat/formatToPartsThat's in mozill52, right? But, yes, we should double-check that. I opened #21608 (moved).
b) Some changes were made to device orientation events. We should ensure that orientation is not leaked to web content. https://bugzilla.mozilla.org/show_bug.cgi?id=1205649
c) The Permissions API is now enabled. Kathy and I think we should turn it off to prevent fingerprinting based on choices that users make. Unfortunately, the
dom.permissions.enabledpref was removed. https://lists.mozilla.org/pipermail/dev-platform/2015-August/011466.html https://bugzilla.mozilla.org/show_bug.cgi?id=1233702d) TouchEvents are now enabled on Windows and Linux. I already poked #10286 (moved).
e) window.showModalDialog() is not available when e10s is enabled. Should we always make it unavailable (even when e10s is disabled)? Or maybe we don't care because we will probably enable e10s for all Tor Browser users or none. https://bugzilla.mozilla.org/show_bug.cgi?id=1234700
I think we should not care. Besides that it seems that non of our code is using
showModalDialog()anyway.f) Looking through the bug lists reminded us about Web Animations possibly providing a high resolution timing source. But we do have #18273 (moved) for that issue.
I guess you mean #16337 (moved)?
g) Similarly, we were reminded about WebAudio. See #13017 (moved).
h) We will need to set
network.dns.blockDotOnion = false.Hm. You mean for the transparent proxying option?
i) Should we disable about:profiles? Some of the functionality will confused our users, e.g., "Create New Profile" which may not work correctly on Linux and Windows and "Restart with Add-ons Disabled." https://bugzilla.mozilla.org/show_bug.cgi?id=1235402
Yes. I opened #21610 (moved).
j) A DNS lookup feature was added to about:networking DNS. We should verify that it respects the browser proxy settings. https://bugzilla.mozilla.org/show_bug.cgi?id=907050
k) Is the Fetch API safe? It includes fetch events with mode=navigate, and Kathy and I are not sure if there are any linkability concerns with that API. https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
This is already #16326 (moved). Or did you find something new we should look at?
Additional things I found:
l) Remaining things for offscreen canvas got implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=1172796. We should make sure that they are disabled as well (I updated #18599 (moved)).
m) windows are maximized on first run on small screens: https://bugzilla.mozilla.org/show_bug.cgi?id=384336 I'll have that in mind while reviewing the rebased patches in #20680 (moved).
n) There is a "What's new" item on the about dialog pointing to Mozilla resources: https://bugzilla.mozilla.org/show_bug.cgi?id=1047395 I guess we should point to our blog post instead. We have #21484 (moved) for that.
-
Replying to gk:
Replying to mcs:
a)
DateTimeFormat.formatToParts. We should verify that timezone and/or locale not leaked to web content by new API. https://bugzilla.mozilla.org/show_bug.cgi?id=1289340 https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat/formatToPartsThat's in mozill52, right? But, yes, we should double-check that. I opened #21608 (moved).
Thanks. That bug and the docs say it is in mozilla51, but in any case we should take a look.
...
e) window.showModalDialog() is not available when e10s is enabled. Should we always make it unavailable (even when e10s is disabled)? Or maybe we don't care because we will probably enable e10s for all Tor Browser users or none. https://bugzilla.mozilla.org/show_bug.cgi?id=1234700
I think we should not care. Besides that it seems that non of our code is using
showModalDialog()anyway.Okay. Kathy and I were thinking about regular web pages using that API and/or detecting that it is not available. But there are probably other ways to detect that e10s is enabled.
f) Looking through the bug lists reminded us about Web Animations possibly providing a high resolution timing source. But we do have #18273 (moved) for that issue.
I guess you mean #16337 (moved)?
Yes; thanks.
h) We will need to set
network.dns.blockDotOnion = false.Hm. You mean for the transparent proxying option?
I was thinking that the Firefox code would block .onion requests even when they go through the SOCKS proxy. But you may be correct.
k) Is the Fetch API safe? It includes fetch events with mode=navigate, and Kathy and I are not sure if there are any linkability concerns with that API. https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
This is already #16326 (moved). Or did you find something new we should look at?
No, I don't think we found anything new. Kathy and I forgot that we had looked at this API before. There were some small changes since Firefox 45, but if I remember correctly they are not significant.
Thanks for making another pass at this and filing tickets!