Opened 3 years ago

Closed 3 years ago

#21390 closed defect (not a bug)

keypress events are not getting spoofed

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-fingerprinting
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

While writing the Keyboard fingerprinting section in our design document I researched a bit and found this excellent keyboard properties test: https://w3c.github.io/uievents/tools/key-event-viewer.html

I played a bit with it and to my surprise it showed at least the keypress event not being properly spoofed. The result for pressing ? on a german keyboard with german keyboard layout are attached.

Child Tickets

Attachments (3)

screenshot_keyboard_events.png (47.8 KB) - added by gk 3 years ago.
z.png (51.9 KB) - added by gk 3 years ago.
Z.png (54.1 KB) - added by gk 3 years ago.

Download all attachments as: .zip

Change History (11)

Changed 3 years ago by gk

comment:1 Changed 3 years ago by gk

Cc: arthuredelstein added
Component: - Select a componentApplications/Tor Browser
Keywords: tbb-fingerprinting added
Owner: set to tbb-team
Priority: MediumHigh
Severity: NormalMajor

A noteworthy thing on the screenshot is the ß character as that is the key I actually pressed. Two other things I am wondering:

1) Did that regress? (It seems so)
2) We have tests for our keyboard spoofing. Do they need improvement for not catching this?

comment:2 Changed 3 years ago by arthuredelstein

Resolution: duplicate
Status: newclosed

It's not a regression, it's just an unimplemented feature. Here's the ticket: #16678.

But it's a good reminder to work on this.

comment:3 in reply to:  2 ; Changed 3 years ago by gk

Resolution: duplicate
Status: closedreopened

Replying to arthuredelstein:

It's not a regression, it's just an unimplemented feature. Here's the ticket: #16678.

Wait, wait, this is not about the ß key. As the bug title says it is about the keypress event. If you look again at the screenshot you'll see that there is no ß in the keypress row. But rather, there are charCode and which values that should be 191 instead of 63 as I am pressing the ? key. I basically tested with the same key as back in #15646. If you look at comment:13:ticket:15646 I got the same results for that event. It bothers me that I don't know anymore why I said "It looks better now" in comment:23:ticket:15646 because testing a bunch of older versions shows the same behavior. Thus, it seems we never fixed that part of my review feedback for some reason.

Regarding the ß result in the screenshot. Even though it is shown that the ? key is pressed the ß shows up if one releases the Shift key a bit earlier than the ? key. So, this part is indeed no regression rather a testing error. I got just confused that the ß showed up while the test said I pressed the ? key.

comment:4 in reply to:  3 ; Changed 3 years ago by arthuredelstein

Replying to gk:

Replying to arthuredelstein:

It's not a regression, it's just an unimplemented feature. Here's the ticket: #16678.

Wait, wait, this is not about the ß key.

Oops, sorry! :) I misunderstood. In comment:1 you say "A noteworthy thing on the screenshot is the ß character as that is the key I actually pressed." So I assumed the ? in the Description was just the ß failing to render in trac.

I will investigate this further. What OS did you observe this on?

comment:5 in reply to:  4 Changed 3 years ago by gk

Replying to arthuredelstein:

Replying to gk:

Replying to arthuredelstein:

It's not a regression, it's just an unimplemented feature. Here's the ticket: #16678.

Wait, wait, this is not about the ß key.

Oops, sorry! :) I misunderstood. In comment:1 you say "A noteworthy thing on the screenshot is the ß character as that is the key I actually pressed." So I assumed the ? in the Description was just the ß failing to render in trac.

No worries. :)

I will investigate this further. What OS did you observe this on?

Both on Windows and Linux with german keyboard and german keyboard layout. I can test on other setups later next week if that's necessary.

comment:6 Changed 3 years ago by gk

I am getting the same result with a german keyboard and an en-US layout. Thus, it seems to me the keypress event leaks the fact that I have a german keyboard regardless of the layout ("layout" means here and in my comments above "funtional layout" while "german keyboard" means "german visual layout").

Changed 3 years ago by gk

Attachment: z.png added

Changed 3 years ago by gk

Attachment: Z.png added

comment:7 Changed 3 years ago by gk

I added z and Z test cases as well.

comment:8 Changed 3 years ago by gk

Resolution: not a bug
Status: reopenedclosed

Okay, this is not a bug. It turns out I mixed up charCode and keyCode values. While we spoof the latter the former are merely ASCII values of the key that got pressed. By coincidence both give back 63 for ? on a with a german layout without spoofing. Our patch fixes that for the keyCode case leacing the charCode case untouched as it does not vary with a different keyboard layout.

Note: See TracTickets for help on using tickets.