Opened 4 weeks ago

Closed 4 weeks ago

Last modified 4 weeks ago

#27257 closed defect (fixed)

In Tor Browser prefs, "" should have been "dom.netinfo.enabled"

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, tbb-mobile, ff60-esr, TorBrowserTeam201808R
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Seems to have been a typo from #5642. Lucky for us, this pref is disabled by default in Firefox desktop and also the API is disabled by privacy.resistFingerprinting thanks to We could set "dom.netinfo.enabled" to false just to be safe, or just remove the "" line altogether.

Child Tickets

Change History (7)

comment:1 Changed 4 weeks ago by arthuredelstein

Turns out it wasn't a typo, but was changed to dom.netinfo.enabled in

comment:2 Changed 4 weeks ago by gk

Testing it on an upcoming Tor Browser for Android shows "Connection type is unknown", so I assume the resistfingerprinting part is working here. Thus, I think we can just remove the pref.

comment:3 Changed 4 weeks ago by arthuredelstein

Keywords: TorBrowserTeam201808R added
Status: newneeds_review

comment:4 Changed 4 weeks ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, cherry-picked to tor-browser-60.1.0esr-8.0-1 (commit 03c692e334c33c21a2f50c5df75d839b93533e55).

comment:5 Changed 4 weeks ago by Thorin

dom.netinfo.enabled=false returns "unknown" but RFP returns "undefined"

You need to decide what you want to enforce as your TBB fingerprint. RFP "clashes" with a lot of other prefs you have flipped in the past. You'll have to evaluate each one on it's own in order to determine if the pref or RFP wins out. Or even which one gives better protection (eg media.video_stats.enabled=false disables the API, but RFP returns dynamically spoofed values .. so which do you want? which is less entropy or fits your threat model)

comment:6 Changed 4 weeks ago by tom

For RFP, where we could, we choose values that would keep the API functioning; just in a constant way.

Therefore I think we would want netinfo to return unknown, rather than undefined. If RFP says undefined; we should open a mozilla bug to correct it....

Last edited 4 weeks ago by tom (previous) (diff)

comment:7 Changed 4 weeks ago by Thorin

Actually, I have that back to front, sorry

Which is to be expected. The point was that you'll need to evaluate/revert past pref flipping

Note: See TracTickets for help on using tickets.