Opened 5 years ago

Closed 3 years ago

Last modified 21 months ago

#7255 closed defect (fixed)

Prompt if Tor Browser is Maximized

Reported by: mikeperry Owned by: gk
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-fingerprinting-resolution, tbb-usability, tbb-bounty, tbb-torbutton, tbb-4.5-alpha
Cc: gk, intrigeri, mcs, brade, arthuredelstein Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We should display some kind of toolbar message or otherwise warn the user against maximizing their Tor Browser window, because maximization reveals monitor resolution and toolbar sizes.

Child Tickets

Change History (29)

comment:1 Changed 5 years ago by mikeperry

See also #7256, which might end up being simpler than this ticket if zoom is easy to manipulate to get a target virtual resolution.

comment:2 Changed 5 years ago by gk

Cc: g.koppen@… added

comment:3 Changed 5 years ago by mikeperry

Priority: normalmajor

comment:4 Changed 5 years ago by mikeperry

We might also want to prompt or otherwise block toolbar/bookmark side panes. See #7562.

comment:5 Changed 5 years ago by T(A)ILS developers

Cc: tails@… added

comment:6 Changed 5 years ago by T(A)ILS developers

This solution would be acceptable for Tails, but:

  1. Shouldn't the user be warned against any form of resizing and not only maximizing?
  2. We'd rather see the old "prevent resizing but to multiples of NxM" functionality back.
  3. Alternative proposal:
    • build a list of well-spread maximized sizes (e.g. Windows 7 on 1280x800 display, etc.)
    • allow maximizing to them
    • if maximize doesn't end up using one of those well-spread sizes, maximize to the biggest possible one of these when asked to maximize
    • always warn when resizing

comment:7 Changed 5 years ago by mikeperry

Looks like Mozilla recently added some APIs that might allow us to more aggressively set fixed window sizes: https://bugzilla.mozilla.org/show_bug.cgi?id=357725. Not sure if that's a good idea or not.

comment:8 Changed 4 years ago by mcs

Cc: mcs brade added

comment:9 Changed 4 years ago by adam.greenblatt

Using an unusual screen resolution was sufficient to identify me uniquely to panopticlick. With my portrait mode screen resolution of 1200 wide by 1920 high, the default window size of 1000x1765 was unique, no resizing or maximizing needed.

Perhaps the default should be whichever "standard" size is most common in the wild, regardless of the underlying screen resolution?

Better still would be to report said standard size regardless of the actual size, and let people freely resize and zoom (see #9189) with anonymity. But that's probably hard ;-)

comment:10 Changed 3 years ago by erinn

Component: TorBrowserButtonTor Browser
Keywords: tbb-torbutton added
Owner: changed from mikeperry to tbb-team

comment:11 Changed 3 years ago by intrigeri

Cc: intrigeri added; tails@… removed

comment:12 in reply to:  description Changed 3 years ago by gacar

Replying to mikeperry:

We should display some kind of toolbar message or otherwise warn the user against maximizing their Tor Browser window, because maximization reveals monitor resolution and toolbar sizes.

If a notification (not a confirmation) dialog is what is needed, Notification API can be useful here: https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/notifications

There's a demo to check how it looks like, works fine with TBB 3.6.5:
https://developer.mozilla.org/en-US/docs/Web/API/notification
You need to give permission for this one, since the notification comes from the page. Torbutton won't need the permission.

comment:13 Changed 3 years ago by mikeperry

Keywords: tbb-usability added

comment:14 Changed 3 years ago by mikeperry

Keywords: tbb-fingerprinting-resolution added; tbb-fingerprinting removed

comment:15 Changed 3 years ago by arthuredelstein

Cc: arthuredelstein gk added
Status: newneeds_information

With my latest proposed patch in #14429, browser window dimensions are quantized to 200x100. So, assuming we use that patch, what kind of warning would be appropriate?

  1. Presenting a one-time notification dialog that just explains that the browser dimensions are quantized, and why.
  1. Display a dialog that recommends that the user not change the window size, and present a "cancel" button that lets the user abort the resizing action before it reveals the new window size to content scripts.

Alternative 2 probably offers a little extra anonymity to those users who heed the recommendation, and a little less anonymity for those users who choose to ignore it (but whose windows remain quantized). On the other hand, the window size already varies on window creation, depending on the user's screen size, because of the algorithms here: https://gitweb.torproject.org/mikeperry/torbutton.git/tree/src/chrome/content/torbutton.js?h=1.5-next#n2201
so I'm not sure Alternative 2 provides much more safety than Alternative 1.

I would welcome any opinions!

comment:16 Changed 3 years ago by gk

Status: needs_informationnew

Without having some data we can't say much about whether following option 2 is better or worse for the user's anonymity. Looking at the tickets with users that are wondering about why their browser windows are not rounded at all my gut tells me resizing/maximizing is far more common than commonly thought. I'd even bet that the majority of users is actually resizing their window as they might not understand why they should not do it and why they should waste a lot of available screen space.

What about just closing this ticket when the patch in #14429 lands as the user can't shoot herself in the foot anymore (and preventing this was all the ticket was about)? If we still think we owe the users who are maximizing their windows/trying to get them fullscreen an in-browser explanation as it is not working as expected, then I am in favor of some non-modal mechanism. Maybe a notification box? (I think a modal dialog might just be annoying)

comment:17 Changed 3 years ago by mikeperry

I was thinking that if #14429 landed, we could perform the resize upon maximize, and then display an informative notification upon the "sizemodechange" event after the fact, but similar to the one I just made for New Identity in #9906.

Basically, we would tell the user that we resized the window, and have a "Never do this again" checkbox to disable resizing. However, we probably also need a "Never show this again" because the first few times the user sees it, they may just click through and not even realize what happened..

The issues with #14429 are making me sad though. I feel it is rather important to have some kind of notification+resize here, even if we can't land #14429.. :/

comment:18 in reply to:  17 ; Changed 3 years ago by gk

Cc: g.koppen@… removed

Replying to mikeperry:

I was thinking that if #14429 landed, we could perform the resize upon maximize, and then display an informative notification upon the "sizemodechange" event after the fact, but similar to the one I just made for New Identity in #9906.

Basically, we would tell the user that we resized the window, and have a "Never do this again" checkbox to disable resizing. However, we probably also need a "Never show this again" because the first few times the user sees it, they may just click through and not even realize what happened..

Ah, you wanted to re-purpose this ticket. :) I am definitely in favor of giving users some hints about what happened after they resized and thought they would maximize their window or make it fullscreen (given we land this in tandem with #14429). I am still not convinced that we should do that with modal dialogs. It might not be important enough to a lot of users to warrant a blocking dialog. Having modal dialogs for all sorts of decisions does not scale well UX-wise. The advantage of a notification box might be as well that it allows us to put all the "Never do this again" and "Never show this again" into one dialog while it is not straightforward to do that with several checkboxes in a modal dialog (although one surely gets that to work: https://stackoverflow.com/questions/27310608/firefox-addon-sdk-prompt-with-multiple-checkboxes).

The issues with #14429 are making me sad though. I feel it is rather important to have some kind of notification+resize here, even if we can't land #14429.. :/

Why is it important to have a resize element if we can't land #14429 for now? Why not just having a notification that gives the user a choice *before* she is shooting herself in the foot which gives us time to write and test the code for #14429 properly?

Last edited 3 years ago by gk (previous) (diff)

comment:19 in reply to:  18 Changed 3 years ago by gk

Replying to gk:

Having modal dialogs for all sorts of decisions does not scale well UX-wise. The advantage of a notification box might be as well that it allows us to put all the "Never do this again" and "Never show this again" into one dialog

more technically: I have popup notifications in mind here, not a notification box.

comment:20 Changed 3 years ago by mikeperry

Keywords: tbb-4.5-alpha added

comment:21 Changed 3 years ago by gk

Owner: changed from tbb-team to gk
Status: newassigned

Okay, I tried to implement a blocking modal dialog popping up after the user clicked on the maximize button, but before the resizing is happening, in order to stop it if needed from extension land. That is not working very well. Then I looked at the native code in order to do that in C++ directly but that is quite involved due to platform-dependent behavior. I decided not to mess with that as I don't want to risk the stability for the alpha/stable that is coming.

Thus, I will work on a patch that is already using resizing related code in torbutton giving users a non-blocking choice (meaning the resizing is not blocked by the notification). I am inclined to use a doorhanger notification as the modal dialog does not make sense if we are not blocking the resizing either IMO but am open to other ideas.

comment:22 Changed 3 years ago by mikeperry

Yeah, I think the actual fingerprinting issue due to maximizing is better handled like #14429 attempted to do. This notification is just to inform the user that what they are doing is not a great idea and that they should avoid doing it.

I think the notification box after the fact like we did for the slider is sufficient for now as a stopgap. I think the doorhanger is only needed if we were going to actually act on the notification in some way by setting some kind of site permission, but we're not.

I'm thinking the notification box could say something like "Maximizing Tor Browser can allow websites to determine information about your monitor size, which can be used to track you. We recommend you leave Tor Browser windows in their original default size. [OK]"

I'm also thinking until we get #14429 into better shape, this notification box should display every time.

comment:23 in reply to:  22 Changed 3 years ago by gk

Replying to mikeperry:

I'm also thinking until we get #14429 into better shape, this notification box should display every time.

That's the only bit I disagree with: If users clearly state that they noticed it (e.g. by clicking on the [OK] button) and still maximize the window then we should not bother them at least during the session in which they clicked on it. Alternatively/additionally, we could add a preference not exposed in the UI that regulates the display of that notification (too).

comment:24 Changed 3 years ago by mikeperry

I was erring on the side of annoying them in case they clicked OK without looking. I suppose we don't have to do it *every* time, but I do think that a single instance of displaying this might not be enough for it to sink in. Once per session seems OK, I guess. Or make the pref be a counter and display it 3 times? That way same pref could double as the fully disable pref.

Whichever way you pick is fine with me though.

comment:25 Changed 3 years ago by gk

Status: assignedneeds_review

comment:26 Changed 3 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

Ok, I shortened the message a bit and changed the counter to count down from 3 to 0 instead of up, and merged this. Thanks!

comment:27 in reply to:  25 ; Changed 3 years ago by mcs

Replying to gk:

bug_7255_v2 (https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_7255_v2&id=52ab4472601dfb9f0c6d83966a55178b33149464) has a fix for this bug.

It looks like Mike already merged this, but here are some late comments from Kathy and me:

Consider defining a constant for "extensions.torbutton.startup_resize_period".

Please fix the following comment (maybe a word is missing?):

We at least another second before we show a new notification.

Also, if someone changes their home page to be something other than about:tor, extensions.torbutton.startup_resize_period will remain true. I am not sure what the impact is.

comment:28 in reply to:  27 ; Changed 3 years ago by gk

Replying to mcs:

Replying to gk:

bug_7255_v2 (https://gitweb.torproject.org/user/gk/torbutton.git/commit/?h=bug_7255_v2&id=52ab4472601dfb9f0c6d83966a55178b33149464) has a fix for this bug.

It looks like Mike already merged this, but here are some late comments from Kathy and me:

Consider defining a constant for "extensions.torbutton.startup_resize_period".

Done.

Please fix the following comment (maybe a word is missing?):

We at least another second before we show a new notification.

Fixed.

Also, if someone changes their home page to be something other than about:tor, extensions.torbutton.startup_resize_period will remain true. I am not sure what the impact is.

Depends. If they start maximizing thereafter that won't work. They get the notification AND their screen is resized. Sounds not so bad to me.

comment:29 in reply to:  28 Changed 21 months ago by bugzilla

Severity: Normal

Replying to gk:

Depends. If they start maximizing thereafter that won't work. They get the notification AND their screen is resized. Sounds not so bad to me.

Users complain: #18254.

Note: See TracTickets for help on using tickets.