privacy.resistFingerprinting: UA header, upstream Tor 26146
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: simon.mainey, Assigned: tjr)
References
(Blocks 1 open bug, Regressed 2 open bugs)
Details
(Whiteboard: [tor][fingerprinting][domsecurity-backlog1][fp-triaged])
Attachments
(3 files, 1 obsolete file)
(deleted),
image/png
|
Details | |
(deleted),
patch
|
baku
:
review+
timhuang
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
RyanVM
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
Reporter | ||
Comment 1•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Updated•6 years ago
|
Comment 4•6 years ago
|
||
IIUC, the whole point for Tor 26146 is for fixing the keyboard shortcuts if we spoof the OS. If that so, we have another option here, we can spoof the modifier state "Meta" in MAC into a "Ctrl" state in keyboard events. With this, we can spoof the OS for not only the HTTP header but also navigator.userAgent and the keyboard shortcuts can still work.
Assignee | ||
Comment 5•6 years ago
|
||
(In reply to Tim Huang[:timhuang] from comment #4)
IIUC, the whole point for Tor 26146 is for fixing the keyboard shortcuts if we spoof the OS. If that so, we have another option here, we can spoof the modifier state "Meta" in MAC into a "Ctrl" state in keyboard events. With this, we can spoof the OS for not only the HTTP header but also navigator.userAgent and the keyboard shortcuts can still work.
Chatted with Tim about this: I am in agreement (and he had a WIP for the keyboard spoofing). However, I'm still going to submit this code for review and hopefully esr60 uplift because:
- It would be good to stay in sync with Tor to the extent possible
- We're not sure when we will get to the keyboard spoofing work (it will be several months at least)
- I just finished the code and I think/hope it's going to work when I test it
- I got called out on it over here: https://trac.torproject.org/projects/tor/ticket/26146#comment:73
So assuming there are no hiccups with my patch I will submit it soon and file a followup for the spoofing.
Assignee | ||
Comment 6•6 years ago
|
||
Assignee | ||
Comment 7•6 years ago
|
||
Updated•6 years ago
|
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 8•6 years ago
|
||
Comment on attachment 9035408 [details] [diff] [review]
Bug 1509829 - Spoof OS in HTTP User-Agent header for desktop platforms r?baku
Tim if this looks good to you, I'll send it in!
Comment 9•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Comment 10•6 years ago
|
||
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/dcd5dfecc7b0
Spoof OS in HTTP User-Agent header for desktop platforms r=timhuang,baku
Comment 11•6 years ago
|
||
bugherder |
Assignee | ||
Comment 12•6 years ago
|
||
[ESR Uplift Approval Request]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: Tor patch backport
User impact if declined: Tor will need to carry an additional patch
Fix Landed on Version: 66.0a1 / 20190110214210
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): The code only affects the Resist Fingerprinting mode; is small, and has a test.
String or UUID changes made by this patch:
Comment 13•6 years ago
|
||
I'd rather punt on this for 60.5esr so we don't ship this on esr before release. Leaving the approval request in place for 60.6.
Comment 14•6 years ago
|
||
Comment 15•6 years ago
|
||
bugherder uplift |
Description
•