Opened 2 years ago

Closed 2 years ago

#26611 closed defect (fixed)

verify no locale leaks in ESR60 `Intl` APIs

Reported by: mcs Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, ff60-esr, TorBrowserTeam201808R
Cc: arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Child Tickets

Change History (6)

comment:1 Changed 2 years ago by arthuredelstein

Cc: arthuredelstein added

comment:2 Changed 2 years ago by gk

Priority: MediumImmediate

Bumping prio.

comment:3 Changed 2 years ago by gk

Priority: ImmediateHigh

comment:4 Changed 2 years ago by gk

Keywords: TorBrowserTeam201808 added; TorBrowserTeam201807 removed

Move our tickets to August.

comment:5 in reply to:  description Changed 2 years ago by arthuredelstein

Keywords: TorBrowserTeam201808R added; TorBrowserTeam201808 removed
Status: newneeds_review

Replying to mcs:

​Several new Intl APIs and enhancements to existing APIs were added during the ESR60 development cycle. We should review the changes to make sure locale info, etc. is not leaked when privacy.resistFingerprinting is true.

In general, the Intl APIs use the apparent system locale. "javascript.use_us_english" and "privacy.spoof_english" already cause the system locale to be overridden for Firefox so that previous APIs correctly behaved as though the locale were "en-US".

But I wanted to make sure that the new APIs also followed the same mechanism. So I ran manual tests for each. I opened a blank page and entered test inputs into the content console for two values of "privacy.spoof_english":


privacy.spoof_english new Intl.PluralRules().resolvedOptions().locale
1 "de"
2 "en-US"

privacy.spoof_english Intl.NumberFormat().formatToParts(1000)[1]
1 Object { type: "group", value: "." }
2 Object { type: "group", value: "," }

privacy.spoof_english new Intl.DateTimeFormat(undefined, {hour: "numeric"}).resolvedOptions().hourCycle
1 "h23"
2 "h12"

So the manual tests appear to confirm that these new APIs are correctly spoofing the locale. I also a opened a bugzilla bug to propose the idea of adding some regression tests:

Setting to "needs review" for a second opinion. :)

comment:6 Changed 2 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, looks good!

Note: See TracTickets for help on using tickets.