Opened 17 months ago

Last modified 3 weeks ago

#22074 new task

Review Firefox Developer Docs and Undocumented bugs since FF52esr

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, TorBrowserTeam201809
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This ticket is for the review of new features and (undocumented) bugs between Firefox 53 and 59 inclusive.

Child Tickets

Change History (11)

comment:2 Changed 17 months ago by mcs

Cc: brade mcs added

comment:3 Changed 17 months ago by cypherpunks

"search quereies" are a mess. Ask tjr for useful ones.

comment:4 Changed 8 months ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:5 Changed 5 months ago by gk

Keywords: TorBrowserTeam201805 added
Priority: MediumVery High
Type: defecttask

comment:6 Changed 4 months ago by gk

Keywords: TorBrowserTeam201806 added; TorBrowserTeam201805 removed

Moving our tickets to June 2018

comment:7 Changed 4 months ago by mcs

Here are the items that Kathy and I found so far that we do not think are covered by other open tickets:

https://bugzilla.mozilla.org/show_bug.cgi?id=1344669.
Support for the dom.enable_user_timing pref, which we set to false, has been removed. We may need to restore support for this pref.

https://bugzilla.mozilla.org/show_bug.cgi?id=1251161
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Masking
Support for CSS masks was added and may represent a fingerprinting risk (e.g., if behavior is different for different platforms or GPUs).

https://bugzilla.mozilla.org/show_bug.cgi?id=1287983
https://bugzilla.mozilla.org/show_bug.cgi?id=1264125
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Transitions
Support for CSS Transition events was added (transitionstart, transitionrun, and transitioncancel). This may pose risks similar to CSS animations; see #18273.

https://bugzilla.mozilla.org/show_bug.cgi?id=1250077
https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_compressed_texture_astc
https://bugzilla.mozilla.org/show_bug.cgi?id=1325113
https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_compressed_texture_s3tc_srgb
Support for these WebGL extensions was added. We should verify that both are disabled by our setting webgl.disable-extensions to false.

https://bugzilla.mozilla.org/show_bug.cgi?id=1239100
https://developer.mozilla.org/en-US/docs/Web/API/SVGGeometryElement
The SVGGeometryElement interface has been partially implemented. We should verify that it does not add a fingerprinting risk due to methods such as SVGGeometryElement.getPointAtLength() which locates a point part way along an arbitrary path.

https://developer.mozilla.org/en-US/docs/Web/CSS/clip-path
https://bugzilla.mozilla.org/show_bug.cgi?id=1247229
Support for CSS clip-path on shapes was added. We should verify that this does not have any associated fingerprinting risks. There was a pref to disable this feature, but support for the pref was removed during the ESR60 development cycle.

https://bugzilla.mozilla.org/show_bug.cgi?id=1340655
As we know, support for HTTP 1.x pipelining was removed. We should remove the related prefs from browser/app/profile/000-tor-browser.js

https://bugzilla.mozilla.org/show_bug.cgi?id=1399036
The date and time <input> types are now enabled. We should verify that this does not leak the user's locale, e.g., if the input field dimensions are different in different locales. There is a dom.forms.datetime pref that may be used to remove support for these <input> types.

https://bugzilla.mozilla.org/show_bug.cgi?id=1314959
https://developer.mozilla.org/en-US/docs/Web/API/Background_Tasks_API
window.requestIdleCallback() is now available. We should determine whether it may be used to learn too much about the performance of the user's computer/device, or if there are other timing leaks we want to avoid. This can be disabled by setting dom.requestIdleCallback.enabled to false.

https://bugzilla.mozilla.org/show_bug.cgi?id=1321865
https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
Support the Intersection Observer API was added. It "provides a way to asynchronously observe changes in the intersection of a target element with an ancestor element or with a top-level document's viewport." and may add linkability or fingerprinting risks.

https://bugzilla.mozilla.org/show_bug.cgi?id=1151421
The window.pageYOffset/pageXOffset/scrollX/scrollY properties now return data withe subpixel accuracy. We think this means "half pixels on a macOS Retina or other high resolution display." Does this pose any fingerprinting risks? We may already round these when privacy.resistFingerprinting is true.

https://bugzilla.mozilla.org/show_bug.cgi?id=1364297
A name property was added to Worker() and SharedWorker(). We don't think this adds any new linkability risks though since workers can already communicate via messages.

https://bugzilla.mozilla.org/show_bug.cgi?id=1222633
https://developer.mozilla.org/en-US/docs/Web/HTML/Preloading_content
Support for <link rel="preload"> was added in Firefox 56 but it was disabled in Firefox 57 "because of various web compatibility issues." We should verify that this is still disabled or ensure that it is subject to first-party isolation.

https://bugzilla.mozilla.org/show_bug.cgi?id=1379938
Support was added for some new system color values (-moz-win-accentcolor and -moz-win-accentcolortext) as well as a -moz-windows-accent-color-in-titlebar media query. It looks like the colors are correctly spoofed when ui.use_standins_for_native_colors = true but the media query may add a fingerprinting risk.

https://bugzilla.mozilla.org/show_bug.cgi?id=1386974
Hardware-based encoding for media is now enabled by default on Android. We are not sure if this is a problem or not.

https://bugzilla.mozilla.org/show_bug.cgi?id=1403318
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/PluralRules
https://bugzilla.mozilla.org/show_bug.cgi?id=1403319
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/NumberFormat/formatToParts
https://bugzilla.mozilla.org/show_bug.cgi?id=1386146
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat
Various international APIs and enhancements to existing APIs were added. We should review them to make sure locale info, etc. is not leaked when privacy.resistFingerprinting is true.

https://bugzilla.mozilla.org/show_bug.cgi?id=1393691
Firefox now implements a TLS handshake timeout with a default value of 30 seconds. Previously, it was a lot longer (maybe the same as the system TCP connect timeout, which is typically on the order of 10 minutes). We should decide whether we need a longer timeout for Tor-based browsing, e.g., 2 or 3 minutes.

https://bugzilla.mozilla.org/show_bug.cgi?id=577084
As of Firefox 59, Apple's HTTPS Live Streaming (HLS) protocol is supported on Android for both audio and video. We should audit this or at least look at how it is implemented. Mozilla says: "There is not currently any plan to implement it on Firefox Desktop."

https://bugzilla.mozilla.org/show_bug.cgi?id=1432542
The Web Authentication API has been enabled. We should audit it or at least understand it better, or we should disable it by setting security.webauth.webauthn = false.

comment:8 Changed 3 months ago by mcs

I filed a bunch of tickets to cover the new things we found when reviewing the developer release notes (see comment:7):

#26598 disable User Timing API in ESR60
#26599 investigate CSS masks feature for fingerprinting potential
#26600 verify that new WebGL extensions are disabled
#26601 investigate whether SVGGeometryElement introduces a fingerprinting vector
#26602 investigate whether CSS clip-path adds a fingerprinting risk
#26603 remove obsolete HTTP pipelining prefs
#26604 investigate whether date and time <input> types leak the user's locale
#26605 investigate window.requestIdleCallback() for possible timing leaks
#26606 investigate fingerprinting and linkability risks of the Intersection Observer API
#26607 verify that subpixel accuracy of window scroll properties does not add fingerprinting risk
#26608 investigate <link rel="preload">
#26609 imvestigate whether the -moz-windows-accent-color-in-titlebar media query adds a fingerprinting vector
#26610 investigate whether hardware encoding of media adds fingerprinting risk for TBA
#26611 verify no locale leaks in ESR60 Intl APIs
#26612 increase the TLS handshake timeout
#26613 audit or disable Apple HLS implementation on Android
#26614 audit or disable the Web Authentication API

I am leaving this ticket open because Kathy and I found a few more undocumented issues when reviewing all of the bugs that were fixed between Firefox 53 and 60, and in fact we have not completed that review yet.

comment:9 Changed 3 months ago by gk

Keywords: TorBrowserTeam201807 added; TorBrowserTeam201806 removed

Moving first batch of tickets to July 2018

comment:10 Changed 8 weeks ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201807 removed

Move our tickets to August.

comment:11 Changed 3 weeks ago by gk

Keywords: TorBrowserTeam201809 added; TorBrowserTeam201808 removed

Moving our tickets to September 2018

Note: See TracTickets for help on using tickets.