#31206: http://ip-check.info detects browser window size with JS disabled --------------------------------------+-------------------------- Reporter: cypherpunks | Owner: tbb-team Type: defect | Status: reopened Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Critical | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+--------------------------
Comment (by Thorin): Blocking JS can thwart methods used to get entropy but the threat from CSS is not the same. JS is far more powerful. When allowing JS (or CSS in this case), you always look at a worse case scenarios. Tor Browser should open at `1000px` x `100s` in height up to `1000px`. And you are not meant to resize. This limits the buckets Tor Browsers users are in. CSS @media is not the problem: the problem is users resizing their browser. Now we have letterboxing (in alpha), and the inner window will snap to `200s` x `100s` (I'm simplifying: there's stepping sizes) and now users can resize their browser, go full-screen, toggle on/off the inspector, find bar, bookmarks toolbar, sidebar, etc. Go nuts with it! While their will be more "buckets" Tor Browser users fall into, it is still limited and increases usability. Letterboxing makes this issue about css `@media` a moot point - no matter what you do, your css media inner window measurements will be protected (excluding as you transition from one size to another = not a leak). Please close the ticket. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31206#comment:12> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
