#19048: Review Firefox Developer Docs and Undocumented bugs since FF45esr -------------------------------------------------+------------------------- Reporter: gk | Owner: tbb- | team Type: task | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: ff52-esr, tbb-7.0-must, | Actual Points: TorBrowserTeam201703, GeorgKoppen201703 | Parent ID: | Points: Reviewer: | Sponsor: | Sponsor4 -------------------------------------------------+-------------------------
Comment (by gk): Replying to [comment:14 mcs]: > Finally, here our our notes for Firefox 51 (we did not look at the Firefox 52 changes yet): > > a) We should verify that `TypedArray.toLocaleString()` does not leak locale information. > https://developer.mozilla.org/en- US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/toLocaleString There are other objects that have `toLocaleString()` as well, like `Array` (https://developer.mozilla.org/en- US/docs/Web/JavaScript/Reference/Global_Objects/Array/toLocaleString) or `Number` (https://developer.mozilla.org/en- US/docs/Web/JavaScript/Reference/Global_Objects/Number/toLocaleString). I have a ticket for all of them: #21784. > b) We should verify that the new `<input>` types do not leak locale information, e.g., `<input type="time">`, `type="date"`, `type="week"`, etc. > https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input Hm. The docs say these are not implemented yet and the linked bug (https://bugzilla.mozilla.org/show_bug.cgi?id=888320) seems to second that. What made you believe they are wrong? > c) WebGL2 is enabled by default which may enable new fingerprinting opportunities: > https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API This is #16404. > d) HTTP Opportunistic Security may add some linkability risks, although it seems okay at a glance. > http://httpwg.org/http-extensions/opsec.html > https://bugzilla.mozilla.org/show_bug.cgi?id=1301117 It seems that needs HTTP2/Alternative Services being enabled which is both not the case for us? > e) Do we want to disable Web Audio due to fingerprinting risks? Mozilla keeps adding more functionality. Maybe this is already covered by #13017. I think having this covered by #13017 seems okay for me. We should keep a close eye on that one, though. FWIW: We got a pref to disable that in https://bugzilla.mozilla.org/show_bug.cgi?id=1288359 (+ there is some discussion on that bugs) we might want to use. I updated #13017 accordingly and flag it for closer ff52-esr scrutiny. > f) There are some new Storage APIs that we should look at, e.g., > https://developer.mozilla.org/en- US/docs/Web/API/StorageManager/estimate > https://bugzilla.mozilla.org/show_bug.cgi?id=1267941 I have #21785 for that. Additionally, I have g) Check whether the Ambient Light Sensor event.value is properly rounded off: #21786. h) Make sure exposing the calendar information does not leak the locale: #21787. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19048#comment:28> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs