Re: [tor-bugs] #18545 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF38esr

2016-05-13 Thread Tor Bug Tracker & Wiki 
#18545: Review Firefox Developer Docs and Undocumented bugs since FF38esr
+--
 Reporter:  gk  |  Owner:  tbb-team
 Type:  task| Status:  closed
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Critical| Resolution:  fixed
 Keywords:  ff45-esr, TorBrowserTeam201605  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:  SponsorU
+--
Changes (by gk):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 Okay, this is finally done. One additional issue got found (#19047) and
 now we are good here. Closing.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18545 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF38esr

2016-05-09 Thread Tor Bug Tracker & Wiki 
#18545: Review Firefox Developer Docs and Undocumented bugs since FF38esr
+--
 Reporter:  gk  |  Owner:  tbb-team
 Type:  task| Status:  new
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Critical| Resolution:
 Keywords:  ff45-esr, TorBrowserTeam201605  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:  SponsorU
+--

Comment (by gk):

 Replying to [comment:23 mcs]:
 > Replying to [comment:21 gk]:
 > > Replying to [comment:20 brade]:
 > > > Kathy and I reviewed all of the release notes and developer docs for
 Firefox 39-45. We have not yet looked at the complete bug lists
 (comment:17).
 > >
 > > That's fine. I am halfway through and think having just one doing that
 is okay.
 > >
 > > > Here are some things that might be worth another look (some of these
 may have been looked at in more detail by gk already):
 > >
 > > Thanks for looking at it!
 > >
 > > > CacheStorage. It seems that this can be used by Web Workers and
 regular JS code (not just by Service Workers).
 > > > https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage
 > >
 > > Do you have a bug indicating that? CacheStorage is part of the Service
 Workers spec and that whole MDN page indicates that, too.
 >
 > The API page includes "It provides a master directory of all the named
 caches that a ServiceWorker, other type of worker or window scope can
 access (you don't have to use it with service workers, even though that is
 the spec that defines it) and maintains a mapping of string names to
 corresponding Cache objects." Also, some of the top-level objects are
 present in regular DOM windows. See:
 https://lists.torproject.org/pipermail/tbb-dev/2016-May/000372.html

 Thanks. Filed as #18995.

 > > > Server logging. This is kind of a strange feature: server
 applications can return an X- HTTP header to cause items to be logged to
 the developer console. Maybe it is only done when the console is open and
 the user is monitoring network requests (I am not sure). Kathy and I do
 not like the idea that this is enabled, but it may be harmless.
 > > > https://developer.mozilla.org/en-
 US/docs/Tools/Web_Console/Console_messages#Server
 > >
 > > Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So
 what if we put that feature behind a pref? Disabling it by default in Tor
 Browser?
 >
 > Kathy and I think adding a pref is a good idea, although we leave the
 decision to you (we cannot prove that this will cause any security or
 privacy issues).

 Filed the investigation as #18996.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18545 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF38esr

2016-05-02 Thread Tor Bug Tracker & Wiki 
#18545: Review Firefox Developer Docs and Undocumented bugs since FF38esr
+--
 Reporter:  gk  |  Owner:  tbb-team
 Type:  task| Status:  new
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Critical| Resolution:
 Keywords:  ff45-esr, TorBrowserTeam201604  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:  SponsorU
+--

Comment (by gk):

 Replying to [comment:20 brade]:
 > Kathy and I reviewed all of the release notes and developer docs for
 Firefox 39-45. We have not yet looked at the complete bug lists
 (comment:17).

 That's fine. I am halfway through and think having just one doing that is
 okay.

 > Here are some things that might be worth another look (some of these may
 have been looked at in more detail by gk already):

 Thanks for looking at it!

 > CacheStorage. It seems that this can be used by Web Workers and regular
 JS code (not just by Service Workers).
 > https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage

 Do you have a bug indicating that? CacheStorage is part of the Service
 Workers spec and that whole MDN page indicates that, too.

 > Server logging. This is kind of a strange feature: server applications
 can return an X- HTTP header to cause items to be logged to the developer
 console. Maybe it is only done when the console is open and the user is
 monitoring network requests (I am not sure). Kathy and I do not like the
 idea that this is enabled, but it may be harmless.
 > https://developer.mozilla.org/en-
 US/docs/Tools/Web_Console/Console_messages#Server

 Hm. This is https://bugzilla.mozilla.org/show_bug.cgi?id=1168872. So what
 if we put that feature behind a pref? Disabling it by default in Tor
 Browser?

 > window.screen.orientation. This is possibly a fingerprinting vector
 unless it always returns "landscape-primary" on desktop Firefox (it may
 still be an issue for Orfox). Or did we decide that applications can
 derive this kind of info from the window size/aspect ratio anyway?
 > https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation

 #13025 did not solve this?

 > Navigator.onLine. This can be used to monitor the connected state of a
 user's computer. We can disable it by setting network.manage-offline-
 status = false.
 > https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine

 I definitely came across this one and was thinking about it but I am not
 sure anymore why I did not put it up in my review notes. I think flipping
 that pref back is a good option, #18945

 > Enable H.264 if system decoder is available (Linux). Kathy and I do not
 know enough about the world of video decoders to know if this could be a
 significant fingerprinting vector.
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1213499

 We could investigate which Linux systems would be affected by this:
 #18946.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18545 [Applications/Tor Browser]: Review Firefox Developer Docs and Undocumented bugs since FF38esr

2016-04-29 Thread Tor Bug Tracker & Wiki 
#18545: Review Firefox Developer Docs and Undocumented bugs since FF38esr
+--
 Reporter:  gk  |  Owner:  tbb-team
 Type:  task| Status:  new
 Priority:  Very High   |  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Critical| Resolution:
 Keywords:  ff45-esr, TorBrowserTeam201604  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:  SponsorU
+--

Comment (by brade):

 Kathy and I reviewed all of the release notes and developer docs for
 Firefox 39-45. We have not yet looked at the complete bug lists
 (comment:17). Here are some things that might be worth another look (some
 of these may have been looked at in more detail by gk already):

 CacheStorage. It seems that this can be used by Web Workers and regular JS
 code (not just by Service Workers).
 https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage

 Server logging. This is kind of a strange feature: server applications can
 return an X- HTTP header to cause items to be logged to the developer
 console. Maybe it is only done when the console is open and the user is
 monitoring network requests (I am not sure). Kathy and I do not like the
 idea that this is enabled, but it may be harmless.
 https://developer.mozilla.org/en-
 US/docs/Tools/Web_Console/Console_messages#Server

 window.screen.orientation. This is possibly a fingerprinting vector unless
 it always returns "landscape-primary" on desktop Firefox (it may still be
 an issue for Orfox). Or did we decide that applications can derive this
 kind of info from the window size/aspect ratio anyway?
 https://developer.mozilla.org/en-US/docs/Web/API/Screen/orientation

 Navigator.onLine. This can be used to monitor the connected state of a
 user's computer. We can disable it by setting network.manage-offline-
 status = false.
 https://developer.mozilla.org/en-US/docs/Web/API/NavigatorOnLine/onLine

 Enable H.264 if system decoder is available (Linux). Kathy and I do not
 know enough about the world of video decoders to know if this could be a
 significant fingerprinting vector.
 https://bugzilla.mozilla.org/show_bug.cgi?id=1213499

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs