#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr -------------------------------------------------+------------------------- Reporter: gk | Owner: tbb- | team Type: task | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ff52-esr, tbb-7.0-must, | Actual Points: TorBrowserTeam201703, GeorgKoppen201703 | Parent ID: | Points: Reviewer: | Sponsor: | Sponsor4 -------------------------------------------------+-------------------------
Comment (by gk): Replying to [comment:13 mcs]: > Here are a few items for Firefox 50: > > a) We need to determine if the File and Directory Entries API adds any fingerprinting or linkability risk. > https://developer.mozilla.org/en- US/docs/Web/API/File_and_Directory_Entries_API That is #21742. > b) When reviewing bugs, Kathy and I noticed that there seem to be a lot of crasher bugs associated with DOM Animation, e.g., UAF bugs. I think this is disabled by default via: > dom.animations-api.core.enabled = false > or maybe we also need to add the following if we want to turn it off completely? > dom.animations-api.element-animate.enabled > This might be something for the security slider eventually. Have you checked whether those crasher bugs made it ever into releases? The current metric for the slider was looking at sec-high and sec-critical bugs that got fixed on the release channel. Just looking at mozilla50 might spoil our metrics. > c) As part of our release procedures, do we double-check the HPKP expiration? We do not want to have a repeat of the problem where the pins expired. Mozilla seems to have bugs for each release, e.g., > https://bugzilla.mozilla.org/show_bug.cgi?id=1307530 Hey, that got mentioned in the mozilla49 notes already (see my reply in the previous comment). :) Additional things I have: d) The HTML Drag and Drop API is new and enabled by default allowing multiple items to being dragged and dropped (see: https://bugzilla.mozilla.org/show_bug.cgi?id=906420, https://bugzilla.mozilla.org/show_bug.cgi?id=1289255, and https://bugzilla.mozilla.org/show_bug.cgi?id=1298243). I opened #21741. e) Mozilla ships an own emoji font on Windows/Linux, we should make sure that does not interfere with our font fingerprinting defense (see: https://bugzilla.mozilla.org/show_bug.cgi?id=1231701). That's #21740. f) SPDY 3.1 is disabled, we can get rid of our pref we set (https://bugzilla.mozilla.org/show_bug.cgi?id=1287132). That is actually ripped out in Firefox 51. I opened #21739. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:24> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs