Opened 14 months ago

Closed 14 months ago

Last modified 10 months ago

#27257 closed defect (fixed)

In Tor Browser prefs, "" should have been "dom.netinfo.enabled"

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, tbb-mobile, ff60-esr, TorBrowserTeam201808R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor8


Seems to have been a typo from #5642. Lucky for us, this pref is disabled by default in Firefox desktop and also the API is disabled by privacy.resistFingerprinting thanks to We could set "dom.netinfo.enabled" to false just to be safe, or just remove the "" line altogether.

Child Tickets

Change History (8)

comment:1 Changed 14 months ago by arthuredelstein

Turns out it wasn't a typo, but was changed to dom.netinfo.enabled in

comment:2 Changed 14 months ago by gk

Testing it on an upcoming Tor Browser for Android shows "Connection type is unknown", so I assume the resistfingerprinting part is working here. Thus, I think we can just remove the pref.

comment:3 Changed 14 months ago by arthuredelstein

Keywords: TorBrowserTeam201808R added
Status: newneeds_review

comment:4 Changed 14 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, cherry-picked to tor-browser-60.1.0esr-8.0-1 (commit 03c692e334c33c21a2f50c5df75d839b93533e55).

comment:5 Changed 14 months ago by Thorin

dom.netinfo.enabled=false returns "unknown" but RFP returns "undefined"

You need to decide what you want to enforce as your TBB fingerprint. RFP "clashes" with a lot of other prefs you have flipped in the past. You'll have to evaluate each one on it's own in order to determine if the pref or RFP wins out. Or even which one gives better protection (eg media.video_stats.enabled=false disables the API, but RFP returns dynamically spoofed values .. so which do you want? which is less entropy or fits your threat model)

comment:6 Changed 14 months ago by tom

For RFP, where we could, we choose values that would keep the API functioning; just in a constant way.

Therefore I think we would want netinfo to return unknown, rather than undefined. If RFP says undefined; we should open a mozilla bug to correct it....

Last edited 14 months ago by tom (previous) (diff)

comment:7 Changed 14 months ago by Thorin

Actually, I have that back to front, sorry

Which is to be expected. The point was that you'll need to evaluate/revert past pref flipping

comment:8 Changed 10 months ago by gk

Sponsor: Sponsor8

Sponsor8 in August 2018.

Note: See TracTickets for help on using tickets.