Opened 18 months ago

Closed 15 months ago

Last modified 4 months ago

#21569 closed task (fixed)

Investigate and neuter fingerprinting potential of Permissions API

Reported by: gk Owned by: arthuredelstein
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff52-esr, tbb-7.0-must-alpha, TorBrowserTeam201705R, tbb-linkability
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor4

Description

The Permissions API is now enabled in Firefox 52. We should come up with a plan to neuter its fingerprinting potential and implement it for Tor Browser 7.0:

https://bugzilla.mozilla.org/show_bug.cgi?id=1221106
https://bugzilla.mozilla.org/show_bug.cgi?id=1233702 (removes the associated pref)
https://developer.mozilla.org/en-US/docs/Web/API/Permissions_API
https://w3c.github.io/permissions/

Child Tickets

Change History (16)

comment:1 Changed 18 months ago by gk

Keywords: tbb-7.0-must added

comment:2 Changed 18 months ago by gk

Keywords: TorBrowserTeam201703 added

Getting those tickets on our March radar as well.

comment:3 Changed 17 months ago by gk

Keywords: TorBrowserTeam201704 added; TorBrowserTeam201703 removed

Moving tickets over to April

comment:4 Changed 16 months ago by arthuredelstein

Cc: arthuredelstein added

comment:5 Changed 16 months ago by arthuredelstein

Owner: changed from tbb-team to arthuredelstein
Status: newaccepted

comment:6 Changed 16 months ago by gk

Keywords: tbb-7.0-must-alpha added; tbb-7.0-must removed

Getting more tickets on our alpha radar.

comment:7 Changed 16 months ago by gk

Priority: MediumHigh

Moving the investigation tickets to higher priority.

comment:8 Changed 16 months ago by arthuredelstein

Keywords: TorBrowserTeam201704R added; TorBrowserTeam201704 removed
Status: acceptedneeds_review

Here's my patch for review. I am applying first-party isolation to the Permission Manager:
https://github.com/arthuredelstein/tor-browser/commits/21569

comment:9 Changed 16 months ago by mcs

Status: needs_reviewneeds_information

Kathy and I started to review this but got stuck on a couple of things:

  • Where is the file file_firstPartySpecial.html?
  • Should the commented out lines (e.g., for geolocation) be removed from browser_permissions.js?
  • PrincipalOriginAttributes::StripUserContextId() is now an empty function. Is that correct?

comment:10 Changed 16 months ago by gk

Keywords: TorBrowserTeam201705R added; TorBrowserTeam201704R removed

Moving review tickets to May.

comment:11 in reply to:  9 Changed 15 months ago by arthuredelstein

Replying to mcs:

Kathy and I started to review this but got stuck on a couple of things:

  • Where is the file file_firstPartySpecial.html?
  • Should the commented out lines (e.g., for geolocation) be removed from browser_permissions.js?
  • PrincipalOriginAttributes::StripUserContextId() is now an empty function. Is that correct?

Thanks for noticing these things. I have cleaned them up now. Here's the new version:
https://github.com/arthuredelstein/tor-browser/commit/21569+4

Note here I am enabling isolation of permissions both by first party domain and container ID. As Tor Browser doesn't use containers, the change to container behavior should have no effect. But I took this approach (changing both things) because it makes writing a test with Mozilla's existing isolation test framework straightforward. If Mozilla decides to apply first-party isolation to permissions, but not to apply it to containers, then they will need to modify the framework. (Although my recommendation would be to isolate permissions by containers as well.)

comment:12 Changed 15 months ago by arthuredelstein

Status: needs_informationneeds_review

comment:13 Changed 15 months ago by mcs

r=brade, r=mcs
Kathy and I are far from experts on this aspect of Firefox, but the patches look good and we successfully ran the tests on OSX. We also ran the tests without the other portion of the patch and saw that 2 tests failed due to lack of isolation (as expected).

comment:14 Changed 15 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Looks good to me. I cherry-picked this on tor-browser-52.1.0esr-7.0-2 (commit d8b12ca703cd530b5c7684be00d5979fb1543705).

comment:15 Changed 13 months ago by arthuredelstein

Keywords: tbb-linkability added

comment:16 Changed 4 months ago by gk

Closed #20317 as duplicate.

Note: See TracTickets for help on using tickets.