Opened 22 months ago

Last modified 3 months ago

#21607 new enhancement

Investigate WebVR API 1.1 for fingerprinting/linkability risks

Reported by: gk Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, TorBrowserTeam201809
Cc: mcs, brade Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Virtual Reality (VR) is coming to the browser. Mozilla intends to enable VR support some time between ESR52 and ESR 59 for Windows and Linux at least (see: https://bugzilla.mozilla.org/show_bug.cgi?id=1343368 and https://groups.google.com/forum/?_escaped_fragment_=topic/mozilla.dev.platform/TB2gVavDe6w#!topic/mozilla.dev.platform/TB2gVavDe6w)

The W3C draft is on: https://w3c.github.io/webvr/archive/prerelease/1.1/

Child Tickets

Change History (9)

comment:1 Changed 17 months ago by joebt

Investigating any new browser change is always good, but will webvr even work with WebGL blocked by default in NoScript?

There's always a chance something could leak or be detectable, even if virtual reality doesn't work for users. A brief search of NoScript's site and the web didn't turn up any discussion of NoScript adding a block webVR option.

In TBB - Fx 52.2, about:config pref "dom.vr.oculus.enabled" is true, by default.
It looks like 6 other similar prefs are set false, for now.

For those already checking it out in Fx nightlies, doesn't it show up under plugins manager, where it can be disabled?

comment:2 Changed 11 months ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:3 Changed 6 months ago by mcs

In Firefox 60 ESR, WebVR is enabled by default on Windows (in Firefox >= 60 non-ESR, it is also enabled on macOS). Assuming we do not have time to audit the code that implements this feature, we should set dom.vr.enabled to false in browser/app/profiles/000-tor-browser.js

comment:4 Changed 6 months ago by tom

Yes, you should definitely do this with high priority =)

comment:5 Changed 4 months ago by gk

Priority: MediumHigh

Bumping prio.

comment:6 Changed 4 months ago by gk

Cc: mcs brade added
Keywords: TorBrowserTeam201808R added
Status: newneeds_review

Disabling WebVR for now until we have it properly audited: bug_21607 (https://gitweb.torproject.org/user/gk/tor-browser.git/commit/?h=bug_21607&id=110dd4538adff67d4014684da52a518d17c1be39) in my public tor-browser repo.

Last edited 4 months ago by gk (previous) (diff)

comment:7 Changed 4 months ago by mcs

r=mcs
LGTM

comment:8 Changed 4 months ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201808R removed
Status: needs_reviewnew

Thanks! Cherry-picked to tor-browser-60.1.0esr-8.0-1 (commit 110dd4538adff67d4014684da52a518d17c1be39). Leaving the ticket open for the actual investigation.

comment:9 Changed 3 months ago by gk

Keywords: TorBrowserTeam201809 added; TorBrowserTeam201808 removed

Moving our tickets to September 2018

Note: See TracTickets for help on using tickets.