Re: Device Orientation API future

On Thu, Jan 11, 2018 at 5:39 AM, Chris Van Wiemeersch wrote: > Anne and Martin, can you think of changes to request for the Sensor API > that we would resolve or reasonably improve the existing fingerprinting > concerns? It sounds like Chrome's approach is throttling, which would probably work, b

performing cross-context instanceof checks

Hi, For a long time Firefox's behaviour for instanceof checks on DOM objects, when the right-hand side interface object comes from a different window from the object on the left, has differed from other browsers. For example, otherWindow.document instanceof Node evaluates to true in Firefox

Re: Device Orientation API future

On Thu, Jan 11, 2018 at 3:39 PM, Chris Van Wiemeersch wrote: > Anne and Martin, can you think of changes to request for the Sensor API that > we would resolve or reasonably improve the existing fingerprinting concerns? In general, we can't improve the situation by adding more functionality. That

Re: Device Orientation API future

Martin, you gave some reasonable mitigation steps earlier in this thread that I think are probably worth revisiting. Anne and Martin, can you think of changes to request for the Sensor API that we would resolve or reasonably improve the existing fingerprinting concerns? On Wed, Jan 10, 2018 at

Re: Intent to unship: navigator.registerContentHandler()

On Wed, Jan 10, 2018 at 2:19 AM, Anne van Kesteren wrote: > On Wed, Jan 10, 2018 at 2:06 AM, Fabrice Desre wrote: >> WebShare is more a trimmed down version of the WebActivities/WebIntents >> apis. I think it's unfortunate that instead of fixing the issues with WA/WI >> they went with a single pu

Re: Device Orientation API future

What Anne said. None of these actions help address the primary concern. On Wed, Jan 10, 2018 at 2:23 PM, wrote: > Exciting to hear, Kyle! > > As mentioned earlier, Chrome for Android M63+ has shipped an implementation > (disabled by default, with an Origin Trial) of the Generic Sensor API, but

Re: Intent to unship: navigator.registerContentHandler()

On Tue, Jan 9, 2018 at 8:51 AM, L. David Baron wrote: > On Wednesday 2018-01-03 15:15 +, Jonathan Kingston wrote: >> I am suggesting the removal of navigator.registerContentHandler >> >> API used to register a

Re: Intent to Implement: canvas-imagedata permission

> In Resist Fingerprinting mode, could it sometimes return all 3 > states (granted, prompt, denied) depending on whether the user had > chosen to remember the decision from a prior prompt? Or is there no > such memory? Yes, it can return all three, it will behave like a normal permission (and alr

Re: Intent to Implement: canvas-imagedata permission

On Wed, Jan 10, 2018 at 12:32 PM, L. David Baron wrote: > Is stopping canvas fingerprinting actually a substantial reduction > in available entropy, or is it just removing a convenient source > that happens to combine a bunch of sources of entropy that are also > available elsewhere Blocking ca

Re: Inheriting annotations into included reftest.list files

On Wednesday 2018-01-10 10:49 -0500, Kartikaya Gupta wrote: > This will probably come as a surprise to many (as it does to me each > time I rediscover it), but if, in a reftest.list file, you do > something like this (real example from [1]): > > skip-if(browserIsRemote) include ogg-video/reftest.l

Re: Inheriting annotations into included reftest.list files

On Wed, Jan 10, 2018 at 3:40 PM, Daniel Holbert wrote: > I'd lean slightly towards allowing the syntax and making it actually skip > the include expression. This construct seems valuable to have in our > toolbox (to be used only sparingly, e.g. for cases of platform-specific > features). Yeah I'

Re: Inheriting annotations into included reftest.list files

Agreed that this is footgunny & unexpected! I'd lean slightly towards allowing the syntax and making it actually skip the include expression. This construct seems valuable to have in our toolbox (to be used only sparingly, e.g. for cases of platform-specific features). (Based on a quick grep[1],

Re: Intent to Implement: canvas-imagedata permission

On Wednesday 2018-01-10 12:40 -0600, Tom Ritter wrote: > When Resist Fingerprinting is enabled, we display a permission prompt > when a website tries to access the rendered canvas data. This is > because canvas rendering is a popular fingerprinting and tracking > vector on the web. Is stopping can

Re: Inheriting annotations into included reftest.list files

Another option would be to keep allowing this syntax of "skip-if(x) include some/reftest.list" but actually make it skip the entire include if the condition "x" is true. On Wed, Jan 10, 2018 at 10:49 AM, Kartikaya Gupta wrote: > This will probably come as a surprise to many (as it does to me each

Intent to Implement: canvas-imagedata permission

Summary: When Resist Fingerprinting is enabled, we display a permission prompt when a website tries to access the rendered canvas data. This is because canvas rendering is a popular fingerprinting and tracking vector on the web. However, some uses of this technique are not actually malicious - th

Change to MOZ_LOG output formatting coming: Thread identifiers will include the PID (process id)

Right now MOZ_LOG's default output does not include process identifiers, so messages from different processes look misleadingly similar: [Main Thread]: D/nsBlah Message Message [Main Thread]: D/nsBlah Message Message They will soon instead look like: [4372:Main Thread]: D/nsBlah Message Messag

Re: Intent to unship: navigator.registerContentHandler()

I really like this extension mechanism for the web. Unlike, say, registerProtocolHandler, which is relatively widely supported, registerContentHandler allows extensibility for experiencing resources on the web while still remaining on the firm earth of HTTP and the web. If possible, I'd prefer

Re: Announcing the next Extended Support Release of Firefox - ESR60 with policy engine

On Wed, Jan 10, 2018 at 6:22 AM, Romain Testard wrote: > Some enterprises may indeed find that enabling site isolation is worth the > trade-offs (memory usage seems to be the main one on Chrome's > implemenation). > Just to be clear here, we do not support the same kind of site isolation that Ch

Inheriting annotations into included reftest.list files

This will probably come as a surprise to many (as it does to me each time I rediscover it), but if, in a reftest.list file, you do something like this (real example from [1]): skip-if(browserIsRemote) include ogg-video/reftest.list this may not do what you expect. My expectation, at least, is tha

Re: Announcing the next Extended Support Release of Firefox - ESR60 with policy engine

Some enterprises may indeed find that enabling site isolation is worth the trade-offs (memory usage seems to be the main one on Chrome's implemenation). Our current goal is to make sure enterprise users retain the same feature set with the next ESR and that we deliver a capability that allows easy

In-tree version of webrtc.org build switching from gyp to gn

Our in-tree version of the webrtc.org code is currently built using gyp. Support for gyp was removed from upstream over a year ago and was replaced with gn, requiring us to maintain our own copy of the gyp files in order to do updates. Chris Manchester worked on build system support for gn, which

Re: Device Orientation API future

On Wed, Jan 10, 2018 at 4:23 AM, wrote: > 1. Lock down the Device Sensor APIs APIs in Gecko to only secure contexts, > with `deviceorientation`, `absolutedeviceorientation`, and `devicemotion` > being enabled by default. This helps with encouraging HTTPS adoption, but it does not solve the und

Re: Intent to unship: navigator.registerContentHandler()

On Wed, Jan 10, 2018 at 2:06 AM, Fabrice Desre wrote: > WebShare is more a trimmed down version of the WebActivities/WebIntents > apis. I think it's unfortunate that instead of fixing the issues with WA/WI > they went with a single purpose API - this doesn't scale at all with uses > case they don'