[resistFingerprinting] Performance API spoofing prevents site from loading login scripts
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: ke5trel, Unassigned)
References
(Blocks 1 open bug, Regression, )
Details
(Keywords: regression, Whiteboard: [fingerprinting] [sci-exclude][domsecurity-backlog1])
STR:
- Set
privacy.resistFingerprinting.enabled = true. - Visit <NSFW> https://pornhub.com/login </NSFW>.
- Click on the login button (no account required).
Expected:
Error appears: "Invalid username/password!"
Actual:
Nothing happens, login button is disabled. The login script (front-login.js) is not loaded, nor are many other scripts. The site assumes that if window.performance is defined then performance.timing.loadEventEnd will be greater than zero at some point but that never happens with resistFingerprinting.
timings-1.0.0.js:
if (c.loadEventEnd > 0) {
for (var d in b.callbacks) {
if (b.callbacks.hasOwnProperty(d)) {
b.callback(b.callbacks[d])
}
}
}
|
||
Comment 2•5 years ago
|
||
This is a breakage caused by fingerprinting resistance. We intentionally spoof the performance timing to 0 when fingerprinting resistance is on in order to not expose the performance timing as a fingerprinting vector. I think maybe we can spoof the value into a different one instead of zero if zero causes breakages like this. But, we need to discuss this before we get into a conclusion.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•3 years ago
|
Description
•