Opened 9 months ago

Closed 7 months ago

#26598 closed defect (fixed)

disable User Timing API in ESR60

Reported by: mcs Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-time-highres, ff60-esr, TorBrowserTeam201808R
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

In #16336, we disabled the User Timing API by setting dom.enable_user_timing = false. Support for this pref was removed as of Firefox 55; see https://bugzilla.mozilla.org/show_bug.cgi?id=1344669.

We should do patch Firefox to resurrect support for this pref or do something else to mitigate the fingerprinting potential of this feature.

Child Tickets

Change History (8)

comment:1 Changed 9 months ago by mcs

Keywords: TorBrowserTeam201807 added; TorBrowserTeam201806 removed

comment:2 Changed 9 months ago by arthuredelstein

Cc: arthuredelstein added

comment:3 Changed 9 months ago by gk

Priority: MediumImmediate

Bumping prio.

comment:4 Changed 9 months ago by gk

Priority: ImmediateHigh

comment:5 Changed 8 months ago by arthuredelstein

Description: modified (diff)

According to the patch, the following APIs were formerly disabled when dom.enable_user_timing was false:

   PerformanceEntryList getEntries();
   PerformanceEntryList getEntriesByType(DOMString entryType);
   PerformanceEntryList getEntriesByName(DOMString name, optional DOMString
     entryType);
   void clearResourceTimings();
   void setResourceTimingBufferSize(unsigned long maxSize);
   attribute EventHandler onresourcetimingbufferfull;
   void mark(DOMString markName);
   void clearMarks(optional DOMString markName);
   void measure(DOMString measureName, optional DOMString startMark, optional DOMString endMark);
   void clearMeasures(optional DOMString measureName);

Looking at https://dxr.mozilla.org/mozilla-esr60/source/dom/performance/Performance.cpp, I see that much of this is already disabled when privacy.resistFingerprinting = true:

  • getEntries, getEntriesByType and getEntriesByName all return empty lists.
  • mark and measure do nothing.

We should still check if setResourceTimingBufferSize(unsigned long maxSize) and performance.onresourcetimingbufferfull expose a fingerprinting vector or supercookie mechanism.

comment:6 Changed 8 months ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201807 removed

Move our tickets to August.

comment:7 Changed 7 months ago by arthuredelstein

Status: newneeds_review

I examined the code for setResourceTimingBufferSize(...):
https://dxr.mozilla.org/mozilla-esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/dom/performance/Performance.cpp#407
and for Performance::InsertResourceEntry(...):
https://dxr.mozilla.org/mozilla-esr60/rev/dd52b41d2b775e5c7261ce52795268b7670635fc/dom/performance/Performance.cpp#413

When "privacy.resistFingerprinting" is true, InsertResourceEntry shortcuts. Therefore no entries are added, and performance.onresourcetimingbufferfull is never called, regardless of any past calls to setResourceTimingBufferSize(unsigned long maxSize). So I am satisfied that there isn't a fingerprinting vector of supercookie mechanism exposed by this API.

comment:8 Changed 7 months ago by gk

Keywords: TorBrowserTeam201808R added; TorBrowserTeam201808 removed
Resolution: fixed
Status: needs_reviewclosed

Looks good to me, thanks.

Note: See TracTickets for help on using tickets.