Opened 20 months ago

Last modified 17 months ago

#29745 new defect

Exposed chrome:// resources allow browser version and OS detection [Bug 1534581]

Reported by: flngerprlnt Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


The default permissions defined in the chrome.manifest file allow specific paths to be called from any web page. For example, chrome://browser/content/* or chrome://global/content/*.

For references see

Child Tickets

Attachments (1)

demo2.png (373.0 KB) - added by flngerprlnt 20 months ago.
Detection examples and code inspection

Download all attachments as: .zip

Change History (4)

Changed 20 months ago by flngerprlnt

Attachment: demo2.png added

Detection examples and code inspection

comment:1 Changed 20 months ago by gk

Component: - Select a componentApplications/Tor Browser
Keywords: tbb-fingerprinting added; version os detection fingerprinting chrome resources removed
Owner: set to tbb-team
Priority: MediumHigh

comment:2 Changed 17 months ago by Thorin

From upstream, that this can also leak the app language: see [1]. Leaking browser version is not an issue, all TB users should be on the same ESR cycle - and you can't defeat feature detection anyway. Detecting OS is trivial as well (for now)

Suggest changing the title, and keyword => tbb-fingerprinting-locale . As it happens, I checked the contents of chrome://global/locale/intl.css in all 30 language packs, and I've lost my notes on them: about 6 or 7 have extra css rules which could be used: namely that French one, LTR languages, and from memory, a couple of non-Latin languages such as Japanese. Of course, there may be other chrome:// files that leak more entropy.


comment:3 Changed 17 months ago by Thorin

Not sure if it's worthwhile opening a new ticket: but the default proportional font (serif or sans-serif) is (semi-)detectable and it seems as if zh-TW is the only one to return sans-serif

Is this something that was missed: For example: the default proportional font in ja and he is sans-serif, but the PoC returns serif


[1] PoC:

On the plus side: all 30 packs return sizes 16 (proportional) and 13 (monospace) regardless of the settings in Language & Appearance > Advanced

Note: See TracTickets for help on using tickets.