Neuter NetworkInformation API on Tor Browser Mobile

The Networkinformation API is enabled by default in the mobile version of Firefox. This is governed by a preference, dom.netinfo.enabled. This API (https://developer.mozilla.org/en-US/docs/Web/API/NetworkInformation) provides a variety of information, e.g. the connection type a device is using to communicate with the network or the maximum downlink speed. We should avoid fingerprinting risks associated with this API. For a discussion among Mozilla engineers see: https://groups.google.com/forum/#!topic/mozilla.dev.platform/lCZmhCDGHPY

added TorBrowserTeam201712R component::applications/tor browser owner::igt0 priority::high resolution::fixed severity::normal status::closed tbb-fingerprinting tbb-mobile type::task labels

See also: https://bugzilla.mozilla.org/show_bug.cgi?id=1360242

That link to google groups didn't work for me, but searching for "netinfo" in the group found the singular result.

Trac:
Keywords: tbb-mobile deleted, tbb-mobile tbb-fingerprinting added

Trac:
Summary: Neuter NetworkInformatin API on Tor Browser Mobile to Neuter NetworkInformation API on Tor Browser Mobile

I am working on it.

Trac:
Owner: tbb-team to igt0
Status: new to accepted

There is already an upstream fix for this bug:

https://hg.mozilla.org/mozilla-central/rev/69970dbe2b5a https://hg.mozilla.org/mozilla-central/rev/12f8c79dabb4

Replying to igt0:

There is already an upstream fix for this bug:

https://hg.mozilla.org/mozilla-central/rev/69970dbe2b5a https://hg.mozilla.org/mozilla-central/rev/12f8c79dabb4

Thanks. I guess we want to backport those for our esr52-based branch. Do you think you want to do that?

Replying to gk:

Replying to igt0:

There is already an upstream fix for this bug:

https://hg.mozilla.org/mozilla-central/rev/69970dbe2b5a https://hg.mozilla.org/mozilla-central/rev/12f8c79dabb4

Thanks. I guess we want to backport those for our esr52-based branch. Do you think you want to do that?

Yep, I am on it.

Trac:
Cc: N/A to brade, mcs

Trac:
0001-Spoofing-network-information-API-and-blocking-ontype.patch

Version 1 - Backport commits from firefox

Trac:
Status: accepted to needs_review

Trac:
Keywords: N/A deleted, TorBrowserTeam201712R added

Thanks. I think the code backported looks good. However, I think we should have a better patch format. First, we should keep the Mozilla bug number. That makes it easier to find the patch(es) in our tree. Second, we should keep the patch(set) structure: one commit in our tree should match one commit taken from Mozilla. This allows us to pinpoint possible issues easier. Third, we should fix up the commit message if needed (in your case you still have included "This tests not only windows, but also workers." even though you rightly omitted the workers related part).

A workflow that works fine for me is having mozilla-central as a git remote and cherry picking the patches from that one into tor-browser one-by-one, fixing them up if needed and adapting the commit message afterwards with git commit --amend if needed as well.

Trac:
Status: needs_review to needs_revision
Keywords: TorBrowserTeam201712R deleted, TorBrowserTeam201712 added

Trac:
0001-PATCH-Bug-1372072-Part-1-Spoofing-network-informatio.patch

Version 2 - Backport code from Firefox

Trac:
0002-PATCH-Bug-1372072-Part-2-Add-a-test-case-for-check-w.patch

Version 2 - Backport test from firefox

Thanks,

I attached the back ported patches following the proposed workflow:

Part 1: https://trac.torproject.org/projects/tor/attachment/ticket/22084/0001-PATCH-Bug-1372072-Part-1-Spoofing-network-informatio.patch

Part 2: https://trac.torproject.org/projects/tor/attachment/ticket/22084/0002-PATCH-Bug-1372072-Part-2-Add-a-test-case-for-check-w.patch

Replying to gk:

Thanks. I think the code backported looks good. However, I think we should have a better patch format. First, we should keep the Mozilla bug number. That makes it easier to find the patch(es) in our tree. Second, we should keep the patch(set) structure: one commit in our tree should match one commit taken from Mozilla. This allows us to pinpoint possible issues easier. Third, we should fix up the commit message if needed (in your case you still have included "This tests not only windows, but also workers." even though you rightly omitted the workers related part).

A workflow that works fine for me is having mozilla-central as a git remote and cherry picking the patches from that one into tor-browser one-by-one, fixing them up if needed and adapting the commit message afterwards with git commit --amend if needed as well.

Trac:
Status: needs_revision to needs_review

We are close! Could you just remove two superfluous newlines? One at:

 #include "nsINetworkProperties.h"
+#include "nsContentUtils.h"
+

and the other one, which is git complaining about, at the end of the test file:

+  await testWindow();
+});
+

Trac:
Status: needs_review to needs_revision

Trac:
0001-PATCH-Bug-1372072-Part-1-Spoofing-network-informatio.2.patch

Version 3 - Remove superfluous lines

Trac:
0002-PATCH-Bug-1372072-Part-2-Add-a-test-case-for-check-w.2.patch

 Version 3 - Remove superfluous lines

Thanks for the feedback! I updated the patch.

https://trac.torproject.org/projects/tor/attachment/ticket/22084/0001-PATCH-Bug-1372072-Part-1-Spoofing-network-informatio.2.patch

https://trac.torproject.org/projects/tor/attachment/ticket/22084/0002-PATCH-Bug-1372072-Part-2-Add-a-test-case-for-check-w.2.patch

Replying to gk:

We are close! Could you just remove two superfluous newlines? One at: {{{ #include "nsINetworkProperties.h" +#include "nsContentUtils.h" + }}} and the other one, which is git complaining about, at the end of the test file: {{{

• await testWindow(); +});

}}}

Trac:
Status: needs_revision to needs_review

Thanks for all three fixups. The patches got applied to tor-browser-52.5.2esr-7.5-2 as commit a1beadc5b70e1b6e4727506656723684cf3225bf and a72faadea544a71ae5ca95ec816f2684c205b56a).

Trac:
Keywords: TorBrowserTeam201712 deleted, TorBrowserTeam201712R added
Status: needs_review to closed
Resolution: N/A to fixed

closed

moved to tpo/applications/tor-browser#22084 (closed)