Child Tickets

#33848needs_reviewmcsDisable Enhanced Tracking Protection (assuming we want it disabled)Applications/Tor Browser
#33849assignedtbb-teamMaybe disable Windows HelloApplications/Tor Browser
#33851needs_reviewmcsPatch out Parental Controls detection and loggingApplications/Tor Browser
#33852assignedtbb-teamClean up about:logins (LockWise) to avoid mentioning sync, etc.Applications/Tor Browser
#33853closedtbb-teamDisable What's New? featureApplications/Tor Browser
#33854closedtbb-teamSpoof Network IDApplications/Tor Browser
#33855assignedtbb-teamDon't use site's icon as window icon in Windows when in private browsing modeApplications/Tor Browser
#33865assignedtbb-teamMaybe disable all auto-playApplications/Tor Browser
#33866closedtbb-teamAdd Onion Service info to new cert viewerApplications/Tor Browser
#33867assignedtbb-teamDisable password manager and password generationApplications/Tor Browser

Change History (14)

comment:1 Changed 8 months ago by pospeselr

Description: modified (diff)

comment:2 Changed 8 months ago by pospeselr

Description: modified (diff)

comment:3 Changed 8 months ago by arma

Summary: Review FF relase notes from FF69 to latest (FF73)Review FF release notes from FF69 to latest (FF73)

comment:4 Changed 8 months ago by cypherpunks

comment:5 Changed 7 months ago by pili

Sponsor: Sponsor58-must

comment:6 Changed 7 months ago by pospeselr

Actual Points: 12
Release notes:

    Enhanced Tracking Protection
        - I believe we want to turn this off
    Web Authentication HmacSecret extension via Windows Hello (for Windows 10 versions > May 2019)
        - suspect this feature violates our disk avoidance requirements
    32-bit Firefox on 64-bit OS users no-longer differentiable from 64-bit Firefox on 64-bit OS
        - navgator.userAgent, navigator.platform, navigator.oscpu props
    userChrome.css and userContent.css no longer enabled by default
        - sure users will probably complain about this but seems like a good thing
        - toolkit.legacyUserProfileCustomizations.stylesheets -> true to re-enable

        Seems like Firefox hooks into Windows Parental Controls (though they are removed in newer versions of Windows 10?)
            - I would think our build should stup out parental controls and logging if we don't do this already
            - also has implementation for android and macos
    Firefox Lockwise (about:logins)
        - violates disk avoidance
    'Gift' icon in toolbar that spams users with feature updates/news
   Picture-in-Picture video
        - this feature is pretty awesome, but we should make sure it doesn't expose fingerprinting surface
        - can be toggled off with media.videocontrols.picture-in-picture.enabled
    Enhancement to Windows' High Contrast Mode, web renderer now adds 'readability backplate' of solid color between background and text
        - possible finger-printing vector?

Developer release notes

    Lithuanian specific case rules (also exists for greek, dutch, others), locale fingerprinting
    add-on api topsites.get() certainly seems sketchy af:
        - updated to add includePinned and includeSearchShortcuts options




    TextMetrics interface updated, canvas fingerprinting?

Noteworthy Tickets:

    1584613 - Parental control detection doesn't work on Windows 10
        - make sure parental access checks are always disabled
    1559747 - User-Agent string needn't reveal a user is running 32-bit Firefox on a 64-bit OS
        - make sure this is also true for Tor Browser if it isn't already
    1561307 - Add pref to enable/disable the What's New Panel feature
        - make sure this panel is disabled
    1570732 - Disable DoH if parental controls detected
        - followup on 1584613 to ensure we don't have parental controls in Tor Browser
    1561273 - network ID: ipv4NetworkId/scanArp returns gateway IP instead of its MAC
        - certainly seems like we shouldn't have runnable code that can read the user's IP or MAC
    1563319 - Enable the What's New UI when pref is enabled
        - make sure this is disabled
    1572389 - Add pref to show normal lock icon for sites with EV (Extended Validation) certificates
        - so looks like we can bring back full EV names if we so wish
    1576246 - Set pref browser.urlbar.eventTelemetry.enabled by default
        - make sure this is disabled
    1567826 - Don't mark localhost as insecure
        - this should be fine but the patch does touch the url icon logic
    1572936 - Move EV cert UI out of URL Bar
        - security.identityblock.show_extended_validation pref for showing EV in url bar, we may want to enable this for onionsites?
    1539212 - implement readability backplate for high contrast mode
        - probably fingerprinting vector for folks with high contrast mode enabled as it adds a new rendering layer 
    1585920 - network ID: fix VPN detection on Linux for non ethernet devices 
        - seems like we would never want to calculate a fingerprintable 'Network ID' in tor-browser, though I'm not sure what this is or what it does ( about:networking#networkid )
    1565004 - TRR: Check for VPN on Windows to use platform DNS
        - make sure there's no leakage here
    1604761 - Firefox doesn't apply gnome "Large Text" accessibility setting to web content 
        - we probably don't want this fix if it can be used for fingerprinting?
    1602194 - Use a site's icon as the window icon on Windows
        - We probably don't want to do this, esp if we do the work to hide the tab title from the window manager
    1604932 - Implement a Top Sites provider
        - seems like it offers site suggestions or tracks your browsing or something
    1602187 - Cache site icons for use when the site is not loaded.
        - we need to make sure we're not doing this/that this does not occur for in private tabs

    1532486 - Ensure media cache is memory-only when in Private Browsing Mode
        - we need to enable browser.privatebrowsing.forceMediaMemoryCache pref
    1614769 - Cache shaders to disk even if they are compiled after the 10th frame
        - make sure these don't get cached when in private browsing mode

comment:7 in reply to:  6 Changed 7 months ago by Thorin

Replying to pospeselr:

    TextMetrics interface updated, canvas fingerprinting?
        - - see the textmetric entry and click the view details

RFP doesn't protect against this. The prefs (all added in 74+) are

  • dom.textMetrics.actualBoundingBox.enabled FF74+ default true
  • dom.textMetrics.baselines.enabled - 76 Nightly still at default false
  • dom.textMetrics.emHeight.enabled - 76 Nightly still at default false
  • dom.textMetrics.fontBoundingBox.enabled - 76 Nightly still at default false

measureText uses floats (which may be affected by OS), so the precision is much higher than say domrect (which uses app-units - e.g. 1/60th of a CSS pixel). Additionally, text layout goes from device pixels (which _are_ affected by DPI) to CSS pixels: so it could also be affected by DPI (but no one knows for sure)

I'm not sure if it really adds any more entropy than other font measurements like dcf's unicode glyphs - but it is another avenue

comment:8 Changed 7 months ago by pospeselr

Ok, diffed vanilla esr68 vs beta75 prefs in firefox.js and greprefs.js and here's the noteworthy new values:


  • this pref seems enable a one-time welcome screen that shows off firefox features and importing bookmarks and stuff

  • seems like mozilla working on a new system for configuring search engines, setting to false falls back to legacy

  • separete search engine config for private browsing mode, redundant for us since we're always in private browsing mode


  • site-specific browser (1602117) to launch websites in a window without browser UI


  • so this is a list of mozilla domains which are allowed to be loaded in a priviledged process, probably empty this list


  • new style for urlbar that sort of 'hovers' over the background when true


  • set to false to disable push notifications


  • set to false to disable service workers





  • 0 => allow all, 1 => block audio, 5 => block audio+video (suspect we should disable all autoplay)


  • enables the new picture-in-picture video viewer


  • disable DoH when parental controls are enabled



  • when this is enabled permissions prompt will appear when ff is in full screen, when not it drops out of fullscreen (to avoid chrome spoofing we want this to be false)



  • enables the new cert viewer (if we enable this, we need to port over our work adding in 'Onion Service' string to the security info of a page #23247)



  • used to disable HPKP (HTTP Public Key Pinning) when false, pretty sure we want to keep it that way?



  • false in firefox, do we want to show the EV text?





  • we probably want this to be false to disable old TLS



  • seems like a thing for ff devs to enable experiments, we want this to be empty string

comment:9 in reply to:  8 Changed 7 months ago by Thorin

Replying to pospeselr:


  • set to false to disable push notifications

Default false in ESR68. I also think it's not enabled/doesn't do anything in PB mode, since it requires service workers which are also disabled (see next comment)

However, disabling SWs (pref below) and push (pref above) is not enough to stop Firefox polling the Mozilla Push Server - which assigns a persistent ID

  • see dom.push.userAgentID (without testing, I am not sure if this still gets sets when started in PB mode)
  • you could blank 'dom.push.serverURL' for good measure


  • set to false to disable service workers

This isn't new. It's default false in ESR60-68 and service workers are not available in PB mode


Just FYI: if this is true, then both normal and PB modes display the padlock, but if false, then the pref security.insecure_connection_icon.pbmode.enabled is used in PB mode. They are currently both default false in ESR68, true in non ESR


  • we probably want this to be false to disable old TLS

Setting to false still allows downgrading, but makes that downgrading session only. To force edit: of course this only makes sense if TLS 1.0 and 1.1 are disabled

  • security.tls.version.min = 3
  • 3 was the default in FF74 but got reversed due to govt websites using TLS <1.2
  • no idea what it will be in ESR78 stable

update: To ensure no downgrades, you could lock the pref - see

Last edited 7 months ago by Thorin (previous) (diff)

comment:10 Changed 7 months ago by pili

Parent ID: #33661

comment:11 Changed 6 months ago by pospeselr

Description: modified (diff)
Summary: Review FF release notes from FF69 to latest (FF73)Review FF release notes from FF69 to latest (FF75)

comment:12 Changed 6 months ago by pospeselr

Actual Points: 1220

comment:13 Changed 5 months ago by gaba

Owner: pospeselr deleted

comment:14 Changed 5 months ago by sysrqb

Owner: set to tbb-team
Note: See TracTickets for help on using tickets.