Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#27627 closed enhancement (wontfix)

Prevent sending screen size to server via CSS when JavaScript is disabled

Reported by: Keritano Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

https://arthuredelstein.github.io/tordemos/media-query-fingerprint.html demonstrates that you can include a picture via CSS in dependence of the screen size, thus communicating it to the server. To make it possible to resize the window without danger of fingerprinting when JavaScript is disabled, the Tor Browser should do one of this things when the security slider is on "safest" (or "safer" for non-HTTPS pages):
-Pretend that the screen has the standard resolution.
-Don't load any media that is dependent on the screen size.
-Preload all media that is dependent on the screen size. (This doesn't seem to be done right now, since the wait time for resizing is the same as for loading the page, and the site does not load very much slower than in the regular browser.)

Child Tickets

Change History (3)

comment:1 Changed 2 years ago by gk

Resolution: wontfix
Status: newclosed

I don't think we should do that, rather we should make sure resizing is no big danger to users, e.g. by implementing #14429.

comment:2 Changed 2 years ago by cypherpunks3

Notice that "resizing" also includes changing the viewport's scale factor (or zoom level), not just changing the window size. Also CSS is not the only vector; there is, for example, srcset and related.

Keritano's suggestions are the obvious safe choices to make.

comment:3 in reply to:  2 Changed 2 years ago by cypherpunks_reply

Replying to cypherpunks3:

Also CSS is not the only vector; there is, for example, srcset and related.

And the srcset mechanism applies even for disabled css case

Note: See TracTickets for help on using tickets.