#33534: Review FF release notes from FF69 to latest (FF73) --------------------------------------+-------------------------------- Reporter: pospeselr | Owner: pospeselr Type: defect | Status: assigned Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: | Actual Points: 12 Parent ID: | Points: Reviewer: | Sponsor: Sponsor58-must --------------------------------------+-------------------------------- Changes (by pospeselr):
* actualpoints: => 12 Comment: {{{ Release notes: 69: Enhanced Tracking Protection - I believe we want to turn this off Web Authentication HmacSecret extension via Windows Hello (for Windows 10 versions > May 2019) - suspect this feature violates our disk avoidance requirements 32-bit Firefox on 64-bit OS users no-longer differentiable from 64-bit Firefox on 64-bit OS - navgator.userAgent, navigator.platform, navigator.oscpu props - https://bugzilla.mozilla.org/show_bug.cgi?id=1559747 userChrome.css and userContent.css no longer enabled by default - sure users will probably complain about this but seems like a good thing - toolkit.legacyUserProfileCustomizations.stylesheets -> true to re-enable 69.0.1: 69.0.2: 69.0.3: Seems like Firefox hooks into Windows Parental Controls (though they are removed in newer versions of Windows 10?) - I would think our build should stup out parental controls and logging if we don't do this already - https://bugzilla.mozilla.org/show_bug.cgi?id=1584613 - also has implementation for android and macos 70: Firefox Lockwise (about:logins) - violates disk avoidance 'Gift' icon in toolbar that spams users with feature updates/news 70.0.1: 71: Picture-in-Picture video - this feature is pretty awesome, but we should make sure it doesn't expose fingerprinting surface - can be toggled off with media.videocontrols.picture-in- picture.enabled 72: 72.0.1: 72.0.2: 73: Enhancement to Windows' High Contrast Mode, web renderer now adds 'readability backplate' of solid color between background and text - possible finger-printing vector? 73.0.1: 74: Developer release notes 69: Lithuanian specific case rules (also exists for greek, dutch, others), locale fingerprinting - https://bugzilla.mozilla.org/show_bug.cgi?id=1322992 add-on api topsites.get() certainly seems sketchy af: https://developer.mozilla.org/en-US/docs/Mozilla/Add- ons/WebExtensions/API/topSites/get - updated to add includePinned and includeSearchShortcuts options 70: 71: 72: 73: 74: TextMetrics interface updated, canvas fingerprinting? - https://bugzilla.mozilla.org/show_bug.cgi?id=1102584 75: Noteworthy Tickets: 69: 1584613 - Parental control detection doesn't work on Windows 10 - make sure parental access checks are always disabled 1559747 - User-Agent string needn't reveal a user is running 32-bit Firefox on a 64-bit OS - make sure this is also true for Tor Browser if it isn't already 1561307 - Add pref to enable/disable the What's New Panel feature - make sure this panel is disabled 70: 1570732 - Disable DoH if parental controls detected - followup on 1584613 to ensure we don't have parental controls in Tor Browser 1561273 - network ID: ipv4NetworkId/scanArp returns gateway IP instead of its MAC - certainly seems like we shouldn't have runnable code that can read the user's IP or MAC 1563319 - Enable the What's New UI when pref is enabled - make sure this is disabled 1572389 - Add pref to show normal lock icon for sites with EV (Extended Validation) certificates - so looks like we can bring back full EV names if we so wish 1576246 - Set pref browser.urlbar.eventTelemetry.enabled by default - make sure this is disabled 1567826 - Don't mark localhost as insecure - this should be fine but the patch does touch the url icon logic 1572936 - Move EV cert UI out of URL Bar - security.identityblock.show_extended_validation pref for showing EV in url bar, we may want to enable this for onionsites? 71: 1539212 - implement readability backplate for high contrast mode - probably fingerprinting vector for folks with high contrast mode enabled as it adds a new rendering layer 1585920 - network ID: fix VPN detection on Linux for non ethernet devices - seems like we would never want to calculate a fingerprintable 'Network ID' in tor-browser, though I'm not sure what this is or what it does ( about:networking#networkid ) 1565004 - TRR: Check for VPN on Windows to use platform DNS - make sure there's no leakage here 72: 73: 1604761 - Firefox doesn't apply gnome "Large Text" accessibility setting to web content - we probably don't want this fix if it can be used for fingerprinting? 1602194 - Use a site's icon as the window icon on Windows - We probably don't want to do this, esp if we do the work to hide the tab title from the window manager 1604932 - Implement a Top Sites provider - seems like it offers site suggestions or tracks your browsing or something 1602187 - Cache site icons for use when the site is not loaded. - we need to make sure we're not doing this/that this does not occur for in private tabs 74: 75: 1532486 - Ensure media cache is memory-only when in Private Browsing Mode - we need to enable browser.privatebrowsing.forceMediaMemoryCache pref 1614769 - Cache shaders to disk even if they are compiled after the 10th frame - make sure these don't get cached when in private browsing mode }}} -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33534#comment:6> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs