Opened 20 months ago

Closed 5 weeks ago

Last modified 5 weeks ago

#22074 closed task (fixed)

Review Firefox Developer Docs and Undocumented bugs since FF52esr

Reported by: gk Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff60-esr, TorBrowserTeam201811
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

This ticket is for the review of new features and (undocumented) bugs between Firefox 53 and 59 inclusive.

Child Tickets

Change History (16)

comment:2 Changed 20 months ago by mcs

Cc: brade mcs added

comment:3 Changed 20 months ago by cypherpunks

"search quereies" are a mess. Ask tjr for useful ones.

comment:4 Changed 11 months ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:5 Changed 7 months ago by gk

Keywords: TorBrowserTeam201805 added
Priority: MediumVery High
Type: defecttask

comment:6 Changed 6 months ago by gk

Keywords: TorBrowserTeam201806 added; TorBrowserTeam201805 removed

Moving our tickets to June 2018

comment:7 Changed 6 months ago by mcs

Here are the items that Kathy and I found so far that we do not think are covered by other open tickets:

https://bugzilla.mozilla.org/show_bug.cgi?id=1344669.
Support for the dom.enable_user_timing pref, which we set to false, has been removed. We may need to restore support for this pref.

https://bugzilla.mozilla.org/show_bug.cgi?id=1251161
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Masking
Support for CSS masks was added and may represent a fingerprinting risk (e.g., if behavior is different for different platforms or GPUs).

https://bugzilla.mozilla.org/show_bug.cgi?id=1287983
https://bugzilla.mozilla.org/show_bug.cgi?id=1264125
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Transitions
Support for CSS Transition events was added (transitionstart, transitionrun, and transitioncancel). This may pose risks similar to CSS animations; see #18273.

https://bugzilla.mozilla.org/show_bug.cgi?id=1250077
https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_compressed_texture_astc
https://bugzilla.mozilla.org/show_bug.cgi?id=1325113
https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_compressed_texture_s3tc_srgb
Support for these WebGL extensions was added. We should verify that both are disabled by our setting webgl.disable-extensions to false.

https://bugzilla.mozilla.org/show_bug.cgi?id=1239100
https://developer.mozilla.org/en-US/docs/Web/API/SVGGeometryElement
The SVGGeometryElement interface has been partially implemented. We should verify that it does not add a fingerprinting risk due to methods such as SVGGeometryElement.getPointAtLength() which locates a point part way along an arbitrary path.

https://developer.mozilla.org/en-US/docs/Web/CSS/clip-path
https://bugzilla.mozilla.org/show_bug.cgi?id=1247229
Support for CSS clip-path on shapes was added. We should verify that this does not have any associated fingerprinting risks. There was a pref to disable this feature, but support for the pref was removed during the ESR60 development cycle.

https://bugzilla.mozilla.org/show_bug.cgi?id=1340655
As we know, support for HTTP 1.x pipelining was removed. We should remove the related prefs from browser/app/profile/000-tor-browser.js

https://bugzilla.mozilla.org/show_bug.cgi?id=1399036
The date and time <input> types are now enabled. We should verify that this does not leak the user's locale, e.g., if the input field dimensions are different in different locales. There is a dom.forms.datetime pref that may be used to remove support for these <input> types.

https://bugzilla.mozilla.org/show_bug.cgi?id=1314959
https://developer.mozilla.org/en-US/docs/Web/API/Background_Tasks_API
window.requestIdleCallback() is now available. We should determine whether it may be used to learn too much about the performance of the user's computer/device, or if there are other timing leaks we want to avoid. This can be disabled by setting dom.requestIdleCallback.enabled to false.

https://bugzilla.mozilla.org/show_bug.cgi?id=1321865
https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
Support the Intersection Observer API was added. It "provides a way to asynchronously observe changes in the intersection of a target element with an ancestor element or with a top-level document's viewport." and may add linkability or fingerprinting risks.

https://bugzilla.mozilla.org/show_bug.cgi?id=1151421
The window.pageYOffset/pageXOffset/scrollX/scrollY properties now return data withe subpixel accuracy. We think this means "half pixels on a macOS Retina or other high resolution display." Does this pose any fingerprinting risks? We may already round these when privacy.resistFingerprinting is true.

https://bugzilla.mozilla.org/show_bug.cgi?id=1364297
A name property was added to Worker() and SharedWorker(). We don't think this adds any new linkability risks though since workers can already communicate via messages.

https://bugzilla.mozilla.org/show_bug.cgi?id=1222633
https://developer.mozilla.org/en-US/docs/Web/HTML/Preloading_content
Support for <link rel="preload"> was added in Firefox 56 but it was disabled in Firefox 57 "because of various web compatibility issues." We should verify that this is still disabled or ensure that it is subject to first-party isolation.

https://bugzilla.mozilla.org/show_bug.cgi?id=1379938
Support was added for some new system color values (-moz-win-accentcolor and -moz-win-accentcolortext) as well as a -moz-windows-accent-color-in-titlebar media query. It looks like the colors are correctly spoofed when ui.use_standins_for_native_colors = true but the media query may add a fingerprinting risk.

https://bugzilla.mozilla.org/show_bug.cgi?id=1386974
Hardware-based encoding for media is now enabled by default on Android. We are not sure if this is a problem or not.

https://bugzilla.mozilla.org/show_bug.cgi?id=1403318
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/PluralRules
https://bugzilla.mozilla.org/show_bug.cgi?id=1403319
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/NumberFormat/formatToParts
https://bugzilla.mozilla.org/show_bug.cgi?id=1386146
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DateTimeFormat
Various international APIs and enhancements to existing APIs were added. We should review them to make sure locale info, etc. is not leaked when privacy.resistFingerprinting is true.

https://bugzilla.mozilla.org/show_bug.cgi?id=1393691
Firefox now implements a TLS handshake timeout with a default value of 30 seconds. Previously, it was a lot longer (maybe the same as the system TCP connect timeout, which is typically on the order of 10 minutes). We should decide whether we need a longer timeout for Tor-based browsing, e.g., 2 or 3 minutes.

https://bugzilla.mozilla.org/show_bug.cgi?id=577084
As of Firefox 59, Apple's HTTPS Live Streaming (HLS) protocol is supported on Android for both audio and video. We should audit this or at least look at how it is implemented. Mozilla says: "There is not currently any plan to implement it on Firefox Desktop."

https://bugzilla.mozilla.org/show_bug.cgi?id=1432542
The Web Authentication API has been enabled. We should audit it or at least understand it better, or we should disable it by setting security.webauth.webauthn = false.

comment:8 Changed 5 months ago by mcs

I filed a bunch of tickets to cover the new things we found when reviewing the developer release notes (see comment:7):

#26598 disable User Timing API in ESR60
#26599 investigate CSS masks feature for fingerprinting potential
#26600 verify that new WebGL extensions are disabled
#26601 investigate whether SVGGeometryElement introduces a fingerprinting vector
#26602 investigate whether CSS clip-path adds a fingerprinting risk
#26603 remove obsolete HTTP pipelining prefs
#26604 investigate whether date and time <input> types leak the user's locale
#26605 investigate window.requestIdleCallback() for possible timing leaks
#26606 investigate fingerprinting and linkability risks of the Intersection Observer API
#26607 verify that subpixel accuracy of window scroll properties does not add fingerprinting risk
#26608 investigate <link rel="preload">
#26609 imvestigate whether the -moz-windows-accent-color-in-titlebar media query adds a fingerprinting vector
#26610 investigate whether hardware encoding of media adds fingerprinting risk for TBA
#26611 verify no locale leaks in ESR60 Intl APIs
#26612 increase the TLS handshake timeout
#26613 audit or disable Apple HLS implementation on Android
#26614 audit or disable the Web Authentication API

I am leaving this ticket open because Kathy and I found a few more undocumented issues when reviewing all of the bugs that were fixed between Firefox 53 and 60, and in fact we have not completed that review yet.

comment:9 Changed 5 months ago by gk

Keywords: TorBrowserTeam201807 added; TorBrowserTeam201806 removed

Moving first batch of tickets to July 2018

comment:10 Changed 4 months ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201807 removed

Move our tickets to August.

comment:11 Changed 3 months ago by gk

Keywords: TorBrowserTeam201809 added; TorBrowserTeam201808 removed

Moving our tickets to September 2018

comment:12 Changed 2 months ago by gk

Keywords: TorBrowserTeam201810 added; TorBrowserTeam201809 removed

Moving tickets to October

comment:13 Changed 7 weeks ago by traumschule

FF63 is probably not interesting because ff68 is the upcoming base, however they review new preferences in it:
https://github.com/ghacksuserjs/ghacks-user.js/issues/501

There is also a ticket for TBB:
https://github.com/ghacksuserjs/ghacks-user.js/issues/491

comment:14 Changed 5 weeks ago by gk

Keywords: TorBrowserTeam201811 added; TorBrowserTeam201810 removed

Moving our tickets to November.

comment:15 Changed 5 weeks ago by mcs

Resolution: fixed
Status: newclosed

Kathy and I reviewed our remaining notes and I opened 7 new tickets:

#28368 - determine if media.decoder.recycle.enabled allows any linkability
#28369 - remove pingsender from Tor Browser
#28370 - stop setting obsolete media.eme.apiVisible pref
#28371 - verify that speculative connect on mousedown does not violate FPI
#28372 - determine if onvisibilitychange is a fingerprinting vector
#28373 - verify that cubeb-related tmp files do not violate disk avoidance
#28374 - ensure RequestStorageId cannot be accessed remotely

I will close this one now, but contributions to the new tickets are welcome. Maybe someone else has already investigated some of these potential issues, or maybe some are duplicates of existing tickets.

comment:16 Changed 5 weeks ago by mcs

One more for which I almost forgot to create a ticket:
#28375 - improve handling of uninstalled protocol handler

Note: See TracTickets for help on using tickets.