Opened 2 years ago

Closed 2 years ago

Last modified 23 months ago

#27257 closed defect (fixed)

In Tor Browser prefs, "" should have been "dom.netinfo.enabled"

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, tbb-mobile, ff60-esr, TorBrowserTeam201808R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor: Sponsor8


Seems to have been a typo from #5642. Lucky for us, this pref is disabled by default in Firefox desktop and also the API is disabled by privacy.resistFingerprinting thanks to We could set "dom.netinfo.enabled" to false just to be safe, or just remove the "" line altogether.

Child Tickets

Change History (8)

comment:1 Changed 2 years ago by arthuredelstein

Turns out it wasn't a typo, but was changed to dom.netinfo.enabled in

comment:2 Changed 2 years ago by gk

Testing it on an upcoming Tor Browser for Android shows "Connection type is unknown", so I assume the resistfingerprinting part is working here. Thus, I think we can just remove the pref.

comment:3 Changed 2 years ago by arthuredelstein

Keywords: TorBrowserTeam201808R added
Status: newneeds_review

comment:4 Changed 2 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, cherry-picked to tor-browser-60.1.0esr-8.0-1 (commit 03c692e334c33c21a2f50c5df75d839b93533e55).

comment:5 Changed 2 years ago by Thorin

dom.netinfo.enabled=false returns "unknown" but RFP returns "undefined"

You need to decide what you want to enforce as your TBB fingerprint. RFP "clashes" with a lot of other prefs you have flipped in the past. You'll have to evaluate each one on it's own in order to determine if the pref or RFP wins out. Or even which one gives better protection (eg media.video_stats.enabled=false disables the API, but RFP returns dynamically spoofed values .. so which do you want? which is less entropy or fits your threat model)

comment:6 Changed 2 years ago by tom

For RFP, where we could, we choose values that would keep the API functioning; just in a constant way.

Therefore I think we would want netinfo to return unknown, rather than undefined. If RFP says undefined; we should open a mozilla bug to correct it....

Last edited 2 years ago by tom (previous) (diff)

comment:7 Changed 2 years ago by Thorin

Actually, I have that back to front, sorry

Which is to be expected. The point was that you'll need to evaluate/revert past pref flipping

comment:8 Changed 23 months ago by gk

Sponsor: Sponsor8

Sponsor8 in August 2018.

Note: See TracTickets for help on using tickets.