Opened 3 years ago

Closed 21 months ago

Last modified 21 months ago

#22074 closed task (fixed)

Review Firefox Developer Docs and Undocumented bugs since FF52esr

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, TorBrowserTeam201811
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


This ticket is for the review of new features and (undocumented) bugs between Firefox 53 and 59 inclusive.

Child Tickets

Change History (16)

comment:2 Changed 3 years ago by mcs

Cc: brade mcs added

comment:3 Changed 3 years ago by cypherpunks

"search quereies" are a mess. Ask tjr for useful ones.

comment:4 Changed 3 years ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:5 Changed 2 years ago by gk

Keywords: TorBrowserTeam201805 added
Priority: MediumVery High
Type: defecttask

comment:6 Changed 2 years ago by gk

Keywords: TorBrowserTeam201806 added; TorBrowserTeam201805 removed

Moving our tickets to June 2018

comment:7 Changed 2 years ago by mcs

Here are the items that Kathy and I found so far that we do not think are covered by other open tickets:
Support for the dom.enable_user_timing pref, which we set to false, has been removed. We may need to restore support for this pref.
Support for CSS masks was added and may represent a fingerprinting risk (e.g., if behavior is different for different platforms or GPUs).
Support for CSS Transition events was added (transitionstart, transitionrun, and transitioncancel). This may pose risks similar to CSS animations; see #18273.
Support for these WebGL extensions was added. We should verify that both are disabled by our setting webgl.disable-extensions to false.
The SVGGeometryElement interface has been partially implemented. We should verify that it does not add a fingerprinting risk due to methods such as SVGGeometryElement.getPointAtLength() which locates a point part way along an arbitrary path.
Support for CSS clip-path on shapes was added. We should verify that this does not have any associated fingerprinting risks. There was a pref to disable this feature, but support for the pref was removed during the ESR60 development cycle.
As we know, support for HTTP 1.x pipelining was removed. We should remove the related prefs from browser/app/profile/000-tor-browser.js
The date and time <input> types are now enabled. We should verify that this does not leak the user's locale, e.g., if the input field dimensions are different in different locales. There is a dom.forms.datetime pref that may be used to remove support for these <input> types.
window.requestIdleCallback() is now available. We should determine whether it may be used to learn too much about the performance of the user's computer/device, or if there are other timing leaks we want to avoid. This can be disabled by setting dom.requestIdleCallback.enabled to false.
Support the Intersection Observer API was added. It "provides a way to asynchronously observe changes in the intersection of a target element with an ancestor element or with a top-level document's viewport." and may add linkability or fingerprinting risks.
The window.pageYOffset/pageXOffset/scrollX/scrollY properties now return data withe subpixel accuracy. We think this means "half pixels on a macOS Retina or other high resolution display." Does this pose any fingerprinting risks? We may already round these when privacy.resistFingerprinting is true.
A name property was added to Worker() and SharedWorker(). We don't think this adds any new linkability risks though since workers can already communicate via messages.
Support for <link rel="preload"> was added in Firefox 56 but it was disabled in Firefox 57 "because of various web compatibility issues." We should verify that this is still disabled or ensure that it is subject to first-party isolation.
Support was added for some new system color values (-moz-win-accentcolor and -moz-win-accentcolortext) as well as a -moz-windows-accent-color-in-titlebar media query. It looks like the colors are correctly spoofed when ui.use_standins_for_native_colors = true but the media query may add a fingerprinting risk.
Hardware-based encoding for media is now enabled by default on Android. We are not sure if this is a problem or not.
Various international APIs and enhancements to existing APIs were added. We should review them to make sure locale info, etc. is not leaked when privacy.resistFingerprinting is true.
Firefox now implements a TLS handshake timeout with a default value of 30 seconds. Previously, it was a lot longer (maybe the same as the system TCP connect timeout, which is typically on the order of 10 minutes). We should decide whether we need a longer timeout for Tor-based browsing, e.g., 2 or 3 minutes.
As of Firefox 59, Apple's HTTPS Live Streaming (HLS) protocol is supported on Android for both audio and video. We should audit this or at least look at how it is implemented. Mozilla says: "There is not currently any plan to implement it on Firefox Desktop."
The Web Authentication API has been enabled. We should audit it or at least understand it better, or we should disable it by setting security.webauth.webauthn = false.

comment:8 Changed 2 years ago by mcs

I filed a bunch of tickets to cover the new things we found when reviewing the developer release notes (see comment:7):

#26598 disable User Timing API in ESR60
#26599 investigate CSS masks feature for fingerprinting potential
#26600 verify that new WebGL extensions are disabled
#26601 investigate whether SVGGeometryElement introduces a fingerprinting vector
#26602 investigate whether CSS clip-path adds a fingerprinting risk
#26603 remove obsolete HTTP pipelining prefs
#26604 investigate whether date and time <input> types leak the user's locale
#26605 investigate window.requestIdleCallback() for possible timing leaks
#26606 investigate fingerprinting and linkability risks of the Intersection Observer API
#26607 verify that subpixel accuracy of window scroll properties does not add fingerprinting risk
#26608 investigate <link rel="preload">
#26609 imvestigate whether the -moz-windows-accent-color-in-titlebar media query adds a fingerprinting vector
#26610 investigate whether hardware encoding of media adds fingerprinting risk for TBA
#26611 verify no locale leaks in ESR60 Intl APIs
#26612 increase the TLS handshake timeout
#26613 audit or disable Apple HLS implementation on Android
#26614 audit or disable the Web Authentication API

I am leaving this ticket open because Kathy and I found a few more undocumented issues when reviewing all of the bugs that were fixed between Firefox 53 and 60, and in fact we have not completed that review yet.

comment:9 Changed 2 years ago by gk

Keywords: TorBrowserTeam201807 added; TorBrowserTeam201806 removed

Moving first batch of tickets to July 2018

comment:10 Changed 2 years ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201807 removed

Move our tickets to August.

comment:11 Changed 2 years ago by gk

Keywords: TorBrowserTeam201809 added; TorBrowserTeam201808 removed

Moving our tickets to September 2018

comment:12 Changed 22 months ago by gk

Keywords: TorBrowserTeam201810 added; TorBrowserTeam201809 removed

Moving tickets to October

comment:13 Changed 22 months ago by traumschule

FF63 is probably not interesting because ff68 is the upcoming base, however they review new preferences in it:

There is also a ticket for TBB:

comment:14 Changed 21 months ago by gk

Keywords: TorBrowserTeam201811 added; TorBrowserTeam201810 removed

Moving our tickets to November.

comment:15 Changed 21 months ago by mcs

Resolution: fixed
Status: newclosed

Kathy and I reviewed our remaining notes and I opened 7 new tickets:

#28368 - determine if media.decoder.recycle.enabled allows any linkability
#28369 - remove pingsender from Tor Browser
#28370 - stop setting obsolete media.eme.apiVisible pref
#28371 - verify that speculative connect on mousedown does not violate FPI
#28372 - determine if onvisibilitychange is a fingerprinting vector
#28373 - verify that cubeb-related tmp files do not violate disk avoidance
#28374 - ensure RequestStorageId cannot be accessed remotely

I will close this one now, but contributions to the new tickets are welcome. Maybe someone else has already investigated some of these potential issues, or maybe some are duplicates of existing tickets.

comment:16 Changed 21 months ago by mcs

One more for which I almost forgot to create a ticket:
#28375 - improve handling of uninstalled protocol handler

Note: See TracTickets for help on using tickets.