Opened 11 months ago

Last modified 11 months ago

#28372 new defect

determine if onvisibilitychange is a fingerprinting vector

Reported by: mcs Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting, ff60-esr
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In Firefox 56, Mozilla added support for onvisibilitychange. See:
https://developer.mozilla.org/en-US/docs/Web/API/Document/onvisibilitychange
https://bugzilla.mozilla.org/show_bug.cgi?id=1333912

We should think about whether this introduces any new fingerprinting risks. The following mentions a prerender state which we (mcs and brade) do not fully understand:
https://w3c.github.io/page-visibility/#privacy-security

Child Tickets

Change History (4)

comment:1 Changed 11 months ago by tom

Probably best to disable it... It's not a super important API, should degrade just fine. A website could determine:

  • If it was loaded as a prerender client hint (although we probably also disable that)
  • If the user has backgrounded the tab, minimized the window, their screensaver has gone off, screen locked, etc.

There's not a lot to learn from these which might be an argument to leave it alone, but if I wanted to put on my really creative hat, maybe a website could learn that a user's screensaver turns on after X minutes of inactivity?

comment:2 in reply to:  description Changed 11 months ago by onvisibilitychange

Replying to mcs:

In Firefox 56, Mozilla added support for onvisibilitychange. See:
https://developer.mozilla.org/en-US/docs/Web/API/Document/onvisibilitychange
https://bugzilla.mozilla.org/show_bug.cgi?id=1333912

Just a more standard way to detect visibility change. See:
https://hg.mozilla.org/mozilla-central/rev/898cac60f7c3

We should think about whether this introduces any new fingerprinting risks.

Linkability risks, a bit. Maybe. But what fingerprint do you mean?

The following mentions a prerender state which we (mcs and brade) do not fully understand:
https://w3c.github.io/page-visibility/#privacy-security

It is a topic for another ticket, but see https://w3c.github.io/resource-hints/#security-and-privacy

comment:3 in reply to:  1 ; Changed 11 months ago by onvisibilitychange

Replying to tom:

Probably best to disable it...

And everything else...

It's not a super important API, should degrade just fine.

As many others.

A website could determine:

  • If it was loaded as a prerender client hint (although we probably also disable that)
  • If the user has backgrounded the tab, minimized the window, their screensaver has gone off, screen locked, etc.

Where did you find all that states got revealed?

There's not a lot to learn from these which might be an argument to leave it alone

A ray of light...

, but if I wanted to put on my really creative hat, maybe a website could learn that a user's screensaver turns on after X minutes of inactivity?

Too creative hat ;)

comment:4 in reply to:  3 Changed 11 months ago by tom

Replying to onvisibilitychange:

A website could determine:

  • If it was loaded as a prerender client hint (although we probably also disable that)
  • If the user has backgrounded the tab, minimized the window, their screensaver has gone off, screen locked, etc.

Where did you find all that states got revealed?

The specified states are visible, hidden, and prerender. Hidden would tell you only that it was hidden, you'd have to guess or guesstimate which of the various scenarios I listed had actually occurred. I just listed the first things that came to mind that would cause a 'hidden' state.

Note: See TracTickets for help on using tickets.