Opened 18 months ago

Last modified 8 months ago

#26606 new defect

investigate fingerprinting and linkability risks of the Intersection Observer API

Reported by: mcs Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, tbb-linkability, ff60-esr, TorBrowserTeam201904
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mcs)

​Support for the Intersection Observer API was added during the ESR60 development cycle. This API "provides a way to asynchronously observe changes in the intersection of a target element with an ancestor element or with a top-level document's viewport." and may add linkability or fingerprinting risks. See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1321865
https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API

Child Tickets

Change History (15)

comment:1 Changed 18 months ago by arthuredelstein

Cc: arthuredelstein added

comment:2 Changed 17 months ago by gk

Priority: MediumImmediate

Bumping prio.

comment:3 Changed 17 months ago by gk

Priority: ImmediateHigh

comment:4 Changed 17 months ago by mcs

Description: modified (diff)

comment:5 Changed 17 months ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201807 removed

Move our tickets to August.

comment:6 Changed 16 months ago by arthuredelstein

#21770 was a duplicate.

comment:7 Changed 16 months ago by Thorin

This is a no brainer. Disable it, IMO

https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js

/* 2426: disable Intersection Observer API (FF53+)
 * Almost a year to complete, three versions late to stable (as default false),
 * number #1 cause of crashes in nightly numerous times, and is (primarily) an
 * ad network API for "ad viewability checks" down to a pixel level
 * [1] https://developer.mozilla.org/docs/Web/API/Intersection_Observer_API
 * [2] https://w3c.github.io/IntersectionObserver/
 * [3] https://bugzilla.mozilla.org/1243846 ***/
user_pref("dom.IntersectionObserver.enabled", false);

down to a pixel level ... a. pixel. level

PS: since we added this to our user.js back in 53 (16 months ago), we've had zero issues or complaints about website breakage etc

comment:8 Changed 15 months ago by gk

Keywords: TorBrowserTeam201809 added; TorBrowserTeam201808 removed

Moving our tickets to September 2018

comment:9 Changed 14 months ago by gk

Keywords: TorBrowserTeam201810 added; TorBrowserTeam201809 removed

Moving tickets to October

comment:10 Changed 13 months ago by gk

Keywords: TorBrowserTeam201811 added; TorBrowserTeam201810 removed

Moving our tickets to November.

comment:11 Changed 12 months ago by gk

Keywords: TorBrowserTeam201812 added; TorBrowserTeam201811 removed

Moving our tickets to December.

comment:12 Changed 11 months ago by gk

Keywords: TorBrowserTeam201901 added; TorBrowserTeam201812 removed

Moving tickets to Jan 2019.

comment:13 Changed 10 months ago by gk

Keywords: TorBrowserTeam201902 added; TorBrowserTeam201901 removed

Moving tickets to February.

comment:14 Changed 9 months ago by gk

Keywords: TorBrowserTeam201903 added; TorBrowserTeam201902 removed

Moving remaining tickets to March.

comment:15 Changed 8 months ago by gk

Keywords: TorBrowserTeam201904 added; TorBrowserTeam201903 removed

Moving tickets to April.

Note: See TracTickets for help on using tickets.