Opened 7 years ago

Closed 7 years ago

#2875 closed enhancement (fixed)

Spoof Desktop Resolution in TorBrowser

Reported by: mikeperry Owned by: mikeperry
Priority: High Milestone: TorBrowserBundle 2.3.x-stable
Component: Firefox Patch Issues Version:
Severity: Keywords: backport-to-mozilla, MikePerryIteration20111225
Cc: g.koppen@…, tagnaq@…, lunar@…, StrangeCharm Actual Points: 3
Parent ID: #2871 Points: 6
Reviewer: Sponsor:

Description

We currently have Javascript hooks in Torbutton to spoof our desktop resolution, but this information is now available due to CSS3 media queries. We need to patch Firefox at a deeper level to prevent any pieces of it from obtaining valid desktop resolution information.

This could work as an about:config approach that tells the patch to either spoof the next largest common desktop size that is bigger than the window, or to a specific fixed size, or to the size of the content window (as if the content window only was the entire desktop).

We'll also want to try to remap mouse event coordinates back to this spoofed desktop:
https://developer.mozilla.org/en/DOM/Event/UIEvent/MouseEvent

Spoofing the content window to the desktop size is the cleanest approach that leaks the least information, but the Panopticlick test makes people believe that they are always unique because this is such a rare thing to do relative to the rest of the web, so people are always wrongly complaining we don't defend against Panopticlick :/

Child Tickets

Change History (17)

comment:1 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:2 Changed 7 years ago by mikeperry

FYI, here is a related Firefox Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=418986.

comment:3 Changed 7 years ago by tagnaq

Cc: tagnaq@… added

comment:4 Changed 7 years ago by mikeperry

Points: 16

Similar guess as to #2872.

comment:5 Changed 7 years ago by mikeperry

Component: Tor bundles/installationTor Browser

comment:6 Changed 7 years ago by lunar

Cc: lunar@… added

comment:7 Changed 7 years ago by mikeperry

Points: 166

window.screen uses nsDeviceContext internally.

It appears as though CSS does too, in layout/style/nsMediaFeatures.cpp.

However, we are probably better off just hacking nsMediaFeatures and window.screen to behave properly.

There is a nice array in nsMediaFeatures::features where it looks like we can just change the entries there. In general, we'll want to change all the device-related properties to be the same as their window equivalents. However, this is some extra fun wrt the mozilla extensions.. We'll want to pick custom values for those.

All-in-all I don't think this one should be too hard either. I think the hacks will actually be easier than those for #2872. Perhaps a day of hacking and a half day of testing on a couple different platforms, or some mix thereof.

comment:8 Changed 7 years ago by mikeperry

FYI: window.screen lives in ./dom/base/nsScreen.cpp. Not sure if we should bother with actually patching it though.. Maybe the JS hooks are enough.

comment:9 Changed 7 years ago by mikeperry

Priority: normalmajor

comment:10 Changed 7 years ago by mikeperry

Cc: StrangeCharm added

comment:11 Changed 7 years ago by StrangeCharm

Keywords: backport-to-mozilla added

comment:12 Changed 7 years ago by mikeperry

Milestone: TorBrowserBundle 2.3.x-stable

comment:13 Changed 7 years ago by mikeperry

Keywords: MikePerryIteration20111009 added

comment:14 Changed 7 years ago by mikeperry

Keywords: MikePerryIteration20111009 removed

Putting this on hold in favor of some bw auth work.

comment:15 Changed 7 years ago by mikeperry

Keywords: MikePerryIteration20111211 added

comment:16 Changed 7 years ago by mikeperry

Keywords: MikePerryIteration20111225 added; MikePerryIteration20111211 removed

comment:17 Changed 7 years ago by mikeperry

Actual Points: 3
Resolution: fixed
Status: newclosed

Broke off the MouseEvent stuff into #4755.

The CSS bits are fixed and currently in mikeperry/patches. I also disabled a bunch of suspicious Mozilla CSS Media Query extensions.

Note: See TracTickets for help on using tickets.