Opened 4 years ago

Last modified 2 years ago

#21607 new enhancement

Investigate WebVR API 1.1 for fingerprinting/linkability risks

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, TorBrowserTeam201809
Cc: mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Virtual Reality (VR) is coming to the browser. Mozilla intends to enable VR support some time between ESR52 and ESR 59 for Windows and Linux at least (see: and!topic/

The W3C draft is on:

Child Tickets

Change History (9)

comment:1 Changed 3 years ago by joebt

Investigating any new browser change is always good, but will webvr even work with WebGL blocked by default in NoScript?

There's always a chance something could leak or be detectable, even if virtual reality doesn't work for users. A brief search of NoScript's site and the web didn't turn up any discussion of NoScript adding a block webVR option.

In TBB - Fx 52.2, about:config pref "dom.vr.oculus.enabled" is true, by default.
It looks like 6 other similar prefs are set false, for now.

For those already checking it out in Fx nightlies, doesn't it show up under plugins manager, where it can be disabled?

comment:2 Changed 3 years ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:3 Changed 2 years ago by mcs

In Firefox 60 ESR, WebVR is enabled by default on Windows (in Firefox >= 60 non-ESR, it is also enabled on macOS). Assuming we do not have time to audit the code that implements this feature, we should set dom.vr.enabled to false in browser/app/profiles/000-tor-browser.js

comment:4 Changed 2 years ago by tom

Yes, you should definitely do this with high priority =)

comment:5 Changed 2 years ago by gk

Priority: MediumHigh

Bumping prio.

comment:6 Changed 2 years ago by gk

Cc: mcs brade added
Keywords: TorBrowserTeam201808R added
Status: newneeds_review

Disabling WebVR for now until we have it properly audited: bug_21607 ( in my public tor-browser repo.

Last edited 2 years ago by gk (previous) (diff)

comment:7 Changed 2 years ago by mcs


comment:8 Changed 2 years ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201808R removed
Status: needs_reviewnew

Thanks! Cherry-picked to tor-browser-60.1.0esr-8.0-1 (commit 110dd4538adff67d4014684da52a518d17c1be39). Leaving the ticket open for the actual investigation.

comment:9 Changed 2 years ago by gk

Keywords: TorBrowserTeam201809 added; TorBrowserTeam201808 removed

Moving our tickets to September 2018

Note: See TracTickets for help on using tickets.