Opened 3 years ago

Last modified 3 years ago

#22632 reopened defect

The scrollbar in TBB is enabled and disabled based on a setting in macOS system preferences

Reported by: Dbryrtfbcbhgf Owned by: tbb-team
Priority: Low Milestone:
Component: Applications/Tor Browser Version:
Severity: Minor Keywords: tbb-fingerprinting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The scrollbar in TBB is enabled and disabled based on a setting in macOS system preferences, this can be used to fingerprint users. TBB 7.0.1

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by Dbryrtfbcbhgf

comment:2 Changed 3 years ago by cypherpunks

Priority: MediumLow
Resolution: not a bug
Severity: MajorMinor
Status: newclosed

This is not a bug. There are far, far worse tracking vectors in the open at the moment. If you keep javascript disabled, the scrollbars disappearing (or not) definitely cannot be detected. Merely enabling javascript access (even with the many good modifications the TorProject has made to Mozilla's code) opens up so many APIs that it is very difficult to prevent getting tracked - the DOM sucks. Leaving the macOS default for scrollbars is probably the best choice.

If I am being harsh here, please provide more detail and evidence to show that this actually is a serious tracking vector when weighed against all the other tracking vectors in the wild. Otherwise, adding these kinds of bugs only clogs the bug tracker.

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:3 Changed 3 years ago by gk

Keywords: tbb-fingerprinting added
Resolution: not a bug
Status: closedreopened

While I agree that this is low priority I still think it should not be possible for websites to get that bit of information out of macOS users.

comment:4 Changed 3 years ago by cypherpunks

Is there any evidence of such fingerprinting or a known way that js can be used to detect the status of the scrollbar? I am 99% certain without javascript it is impossible. Unless there is anything here beyond mouse tracking with javascript, which already has a ticket, shouldn't there be some evidence brought forward?

I know this really should be in another ticket, but I don't like adding duplicate or unnecessary ones (there are enough already) - does anyone know if ClientRects fingerprinting has been examined in TorBrowser? .

Imho though, if you let the tens of thousands of lines of js code (e.g. ( that most mainstream sites include run, as I said, it is practically impossible to stop some form of fingerprinting. The only way this will improve is if more real-world analysis of javascript tracking is done - examining which APIs are used, to RE obfuscated code.

Either the DOM/ECMAScript are changed fundamentally and browser developers stop adding new unnecessary APIs every other day, emphasize security/privacy, document preferences properly, encourage control and encourage web developers to follow the principles of progressive enhancement.

Note: See TracTickets for help on using tickets.