#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr -------------------------------------------------+------------------------- Reporter: gk | Owner: tbb- | team Type: task | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ff52-esr, tbb-7.0-must, | Actual Points: TorBrowserTeam201703, GeorgKoppen201703 | Parent ID: | Points: Reviewer: | Sponsor: | Sponsor4 -------------------------------------------------+-------------------------
Comment (by gk): Replying to [comment:12 mcs]: > And here are our notes for Firefox 49: > > a) Graphite font rendering has been re-enabled. We need to decide if we want to disable it again or not. I opened #21726. > b) Mozilla switched to compiling with Intel SSE2. We could do the same, although it would mean that Tor Browser would not run on some really old CPUs. Mozilla modified their Windows installer to notify and refuse to install if the CPU does not support SSE2. > https://bugzilla.mozilla.org/show_bug.cgi?id=1271759 The updater part is #19316 and the installer #21704. > c) Kathy and I cannot think of any fingerprinting or linkability risks associated with the Web Speech API, but it is a big new thing: > https://developer.mozilla.org/en-US/docs/Web/API/Web_Speech_API > https://bugzilla.mozilla.org/show_bug.cgi?id=1268633 Yeah, I think this is fine. Both synthesis and recognition seem to be off anyway. pref("media.webspeech.synth.enabled", false); pref("media.webspeech.recognition.enable", false); > d) We should verify that the "Network ID" is not even computed when Telemetry is disabled. At least I would feel better if it was not. > https://bugzilla.mozilla.org/show_bug.cgi?id=1240932 #21727. Might have sandboxing implications as well as it needs /proc/net/arp access on Linux e.g. > e) The Bookmarks Toolbar is automatically shown when the user adds a bookmark to it. This will change the window size, but maybe this is used rarely enough that we do not care? > https://bugzilla.mozilla.org/show_bug.cgi?id=1219788 Hm. I think that falls under #16456 > f) The window.isSecureContext API is interesting but may not add any fingerprinting or linkability risks. We should think about whether features that are being made "HTTPS only" should also be available on .onion sites. > https://developer.mozilla.org/en-US/docs/Web/API/Window/isSecureContext Yes, this is a nice thing to look at, I opened #21728. > g) As part of our release procedures, do we double-check the HPKP expiration? Mozilla seems to have bugs for each release, e.g., > https://bugzilla.mozilla.org/show_bug.cgi?id=1307530 No, we don't right now. Mozilla has HPKP enabled for addons.mozilla.org and other measures implemented (https://bugzilla.mozilla.org/show_bug.cgi?id=1303127#c13). I think that's okay until we solve this properly. Other things I have: h) Flyweb landed which seems crazy (https://wiki.mozilla.org/FlyWeb and https://hacks.mozilla.org/2016/09/flyweb-pure-web-cross-device- interaction) but it is disabled in ESR 52 (`dom.flyweb.enabled` is `false`). i) Canvas CSS/SVG filters are enabled by default (https://bugzilla.mozilla.org/show_bug.cgi?id=1173545). We have #16341 for that. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:23> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs