Review and audit Firefox changes since Firefox 17

As the first step in the the switch to Firefox 24 in November, we'll need to review all of the Firefox for Developers pages, the undocumented bugs, and scan the source code for the appearance of new networking system calls.

Here's the first link: https://developer.mozilla.org/en-US/Firefox_18_for_developers

added MikePerry201312 actualpoints::10 component::applications/tor browser ff24-esr owner::tbb-team priority::high resolution::fixed status::closed tbb-firefox-patch tbb-rebase type::task labels

Trac:
Cc: N/A to g.koppen@jondos.de

Trac:
Keywords: MikePerry201309 deleted, MikePerry201310 added

Reviewing just the developer docs (not counting undocumented bugs), here's stuff that needs a closer look for each FF version.

FF24:

• Seems fine. FF23:
• Mixed content blocking will need to be fixed or disabled. FF22:
• WebRTC is on by default
• Clipboard data: https://developer.mozilla.org/en-US/docs/Web/API/ClipboardEvent.clipboardData
• Web Notifications may cause proxy issues if they contain embedded URLs/content? https://developer.mozilla.org/en-US/docs/WebAPI/Using_Web_Notifications
• Blob uris/objects may require caching isolation equivalent to data uris https://developer.mozilla.org/en-US/docs/Web/API/Blob
• Is the new third party cookie blocker better or worse? https://blog.mozilla.org/privacy/2013/02/25/firefox-getting-smarter-about-third-party-cookies/ http://webpolicy.org/2013/02/22/the-new-firefox-cookie-policy/ FF21:
• No major issues FF20:
• Probably fine: https://developer.mozilla.org/en-US/docs/Web/API/Navigator.getUserMedia FF19:
• New canvas methods toBlob(), isPointInStroke(): https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasElement
• File can return "current" date when time is unknown (verify no timezone leaks, etc) https://developer.mozilla.org/en-US/docs/Web/API/File
• https://developer.mozilla.org/en-US/docs/Web/API/CSSPageRule FF18:
• https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-allowfullscreen
• https://bugzilla.mozilla.org/show_bug.cgi?id=767818 (navigator.mozPay??)
• https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Global_Objects/Proxy
• https://developer.mozilla.org/en-US/docs/Web/Guide/User_experience/Using_the_Page_Visibility_API
• https://hacks.mozilla.org/2012/10/aurora-18-hidpi-touch-events/

And here's the list of undocumented bugs that need a closer look:

FF24: https://bugzilla.mozilla.org/show_bug.cgi?id=855741 https://bugzilla.mozilla.org/show_bug.cgi?id=549861 https://bugzilla.mozilla.org/show_bug.cgi?id=858234 FF23: https://bugzilla.mozilla.org/show_bug.cgi?id=525444 https://bugzilla.mozilla.org/show_bug.cgi?id=769871 https://bugzilla.mozilla.org/show_bug.cgi?id=811403 https://bugzilla.mozilla.org/show_bug.cgi?id=818675 https://bugzilla.mozilla.org/show_bug.cgi?id=834835 FF22: https://bugzilla.mozilla.org/show_bug.cgi?id=845010 https://bugzilla.mozilla.org/show_bug.cgi?id=783129 FF21: https://bugzilla.mozilla.org/show_bug.cgi?id=834595 https://bugzilla.mozilla.org/show_bug.cgi?id=823175 FF20: https://bugzilla.mozilla.org/show_bug.cgi?id=776443 https://bugzilla.mozilla.org/show_bug.cgi?id=815743 https://bugzilla.mozilla.org/show_bug.cgi?id=818800 https://bugzilla.mozilla.org/show_bug.cgi?id=770844 https://bugzilla.mozilla.org/show_bug.cgi?id=764240 https://bugzilla.mozilla.org/show_bug.cgi?id=617532 https://bugzilla.mozilla.org/show_bug.cgi?id=789932 FF19: https://bugzilla.mozilla.org/show_bug.cgi?id=801576 https://bugzilla.mozilla.org/show_bug.cgi?id=804944 https://bugzilla.mozilla.org/show_bug.cgi?id=722979 https://bugzilla.mozilla.org/show_bug.cgi?id=723002 https://bugzilla.mozilla.org/show_bug.cgi?id=723005 https://bugzilla.mozilla.org/show_bug.cgi?id=648610 https://bugzilla.mozilla.org/show_bug.cgi?id=801402 FF18: https://bugzilla.mozilla.org/show_bug.cgi?id=745025 https://bugzilla.mozilla.org/show_bug.cgi?id=750862 https://bugzilla.mozilla.org/show_bug.cgi?id=790946 https://bugzilla.mozilla.org/show_bug.cgi?id=782453 https://bugzilla.mozilla.org/show_bug.cgi?id=774963 https://bugzilla.mozilla.org/show_bug.cgi?id=737003 https://bugzilla.mozilla.org/show_bug.cgi?id=726615 https://bugzilla.mozilla.org/show_bug.cgi?id=783531 https://bugzilla.mozilla.org/show_bug.cgi?id=722861 https://bugzilla.mozilla.org/show_bug.cgi?id=796523 https://bugzilla.mozilla.org/show_bug.cgi?id=564815 https://bugzilla.mozilla.org/show_bug.cgi?id=769764 https://bugzilla.mozilla.org/show_bug.cgi?id=769569 https://bugzilla.mozilla.org/show_bug.cgi?id=787931 https://bugzilla.mozilla.org/show_bug.cgi?id=695399 https://bugzilla.mozilla.org/show_bug.cgi?id=791019

Trac:
Points: N/A to 3

Trac:
Actualpoints: N/A to 3
Points: 3 to N/A

Trac:
Keywords: N/A deleted, tbb-rebase added

Trac:
Keywords: MikePerry201310 deleted, MikePerry201311 added

Ok, I've completed the review of the above bugs and API features. I've filed the following bugs as a result: #10283 (moved), #10284 (moved), #10285 (closed), #10286 (moved).

Aside from #10285 (closed), none of them require immediate attention. However, #10285 (closed) represents some further testing needed to determine the behavior of several APIs with respect to different desktop environments. It is possible that on some desktops, the APIs we test in #10285 (closed) could result in proxy bypass due to OS or desktop-specific behavior.

I still need to complete the network system call audit.

Trac:
Actualpoints: 3 to 10

Please note that the following canvas methods in esr24 are not mentioned in the filed bugs (10283-6).

• ToBlob
• ToDataURL
• mozFetchAsStream
• mozGetAsFile

Trac:
Keywords: MikePerry201311 deleted, MikePerry201312 added

Trac:
Cc: g.koppen@jondos.de to g.koppen@jondos.de, intrigeri

Trac:
Keywords: N/A deleted, tbb-firefox-patch added

Trac:
Owner: mikeperry to tbb-team
Component: Firefox Patch Issues to Tor Browser

Not sure how this wasn't closed..

Trac:
Resolution: N/A to fixed
Status: new to closed

closed

added 80h of time spent

mentioned in issue #9609 (closed)

moved to tpo/applications/tor-browser#9608 (closed)