Open Bug 1450401 Opened 7 years ago Updated 2 years ago

mozFullScreen leaks exact screen resolution

Categories

(Core :: Window Management, enhancement, P3)

Product:
Core
Component:
Window Management
Type:
enhancement

Tracking

()

Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fingerprinting][fp-triaged])

Attachments

(1 file)

POC.html
(deleted), text/plain
Details
Attached file POC.html (deleted) —
Using mozFullScreen and any user interaction a malicious website can send you into fullscreen and grab the window dimensions (and then kick you out of full screen if they want to.) We have a few options here. The full screen API is asynchronous, so we could throw a permission prompt before going into Full-Screen if one is in Resist Fingerprinting mode. Alternately, we could resolve Bug 1407366. Given that this leaks the screen resolution, and those dimensions are not unique-per-user this is a leak we want to fix, but not an extraordinary leak. Statistics: https://hardware.metrics.mozilla.com/
I don't think Bug 1407366 is a good fit for this because it would block FS, which is specifically what end users want, eg on signed in accounts such as Netflix watching videos. This would cause a barrier to uptake IMO. +1 for permission prompt (also see: maximizing the screen warning prompt - Bug 1403747). I can see prompt fatigue becoming an issue. Not that I want users to easily forget/bypass all prompts, otherwise the whole purpose of warning them is pointless. But consider users who repeatedly go FS on eg Netflix, Youtube etc. Suggest that we use site exceptions similar to canvas, default ask. I wonder what Arthur thinks?
Wouldn't it be better to disable access to the window dimensions in this case if privacy.resistFingerprinting is set to true?
Edit: Probably that would not work so well as sites might get the dimensions with other tricks then (like creating a 100% wide element) and trying to disable the read-access to all related attributes would break then pretty much (I assume this is also the reason why the window dimensions are currently normalized with privacy.resistFingerprinting set to true).
(In reply to Simon Mainey from comment #1) > I don't think Bug 1407366 is a good fit for this because it would block FS, > which is specifically what end users want, eg on signed in accounts such as > Netflix watching videos. This would cause a barrier to uptake IMO. In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it. In fullscreen mode, the viewport would be restricted to rounded dimensions, so that some extra space around the outside would be left "black". We could also magnify this viewport such that we have "letterbox" or "pillbox" mode. > I wonder what Arthur thinks? In the long term, I would prefer a solution like 1407366. But if we want a stopgap with a warning/permission dialog, that seems reasonable to me.
(In reply to Arthur Edelstein (Tor Browser dev) [:arthuredelstein] from comment #4) > In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it. In fullscreen mode, the viewport would be restricted Ahh, the viewport. Got it. I keep forgetting we have two hats here, Firefox and TBB. Enforcing behavior in TBB is fine, but creating blocks to uptake in Firefox is problematic. Letterboxing the viewport will upset users. For FF the prompt/permission is more than enough IMO.
Priority: P5 → P3
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]

(In reply to Arthur Edelstein [:arthur] from comment #4)

In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it.
In fullscreen mode, the viewport would be restricted to rounded dimensions,
so that some extra space around the outside would be left "black". We could
also magnify this viewport such that we have "letterbox" or "pillbox" mode.

Note that letterboxing (Bug 1407366) does not address this issue - see Tor Ticket https://trac.torproject.org/projects/tor/ticket/32713

After testing the letterboxing now for a while via privacy.resistFingerprinting.letterboxing set to true and noticing that it does not apply on fullscreen mode here are my thoughts about this:

(In reply to Simon Mainey from comment #7)

Note that letterboxing (Bug 1407366) does not address this issue - see Tor Ticket https://trac.torproject.org/projects/tor/ticket/32713

From my understanding it does currently not address this issue as letterboxing is simply not being applied to fullscreen content (and not for other technical resons) but it would address this issue if letterboxing would be applied to fullscreen content. Feel free to correct me if I'm wrong here.

So we have 3 options:

  1. Permission dialog when entering fullscreen.
  2. Letterboxing on fullscreen.
  3. Letting the user decide via a setting in about:config to choose option 1 or 2.
  • The first solution has the disadvantage that it requires offering fingerprintable entropy to the website if the user decides to watch fullscreen content - this effectively blocks users out of this content who don't want this.
  • The second solution adds just the letterboxing (as we currently have for non-fullscreen) to fullscreen content. Sites/video players will just work transparently as usual and it should not even upset users additionally since any other web content is already letterboxed for them anyway - this is even what they probably would expect. This solution would also offer less fingerprintable entropy to a website when watching fullscreen content.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: