privacy.resistFingerprinting and -moz- colors
Categories
(Core :: Widget, defect, P3)
Tracking
()
People
(Reporter: simon.mainey, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fingerprinting][tor])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
See bug 1485266 which standardized all RFP users to return the same system colors
But we didn't account for -moz-*
values, such as -moz-ButtonDefault
Actual results:
Different fingerprints based on device. I only compared my FF on windows 7 to FF and TB on android (and while the two android tests were the same, the two OSes were different). Not sure if the entropy is only limited by OS, or other factors such as system themes, desktop environments etc. I haven't gone down that rabbit hole yet.
Expected results:
Notes:
- you can see the list of items here, about 35 lines down:
view-source:https://ghacksuserjs.github.io/TorZillaPrint/js/css.js
- you can test using: https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#css
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 1•5 years ago
|
||
Tom, please close as invalid if you're happy there's nothing to see here (I'm only 99% sure)
my Windows 7, vanilla profiles
- without RFP
49de5ccbfdfc76f551f9f1ff23ca46352b501043
: ESR60d0e261da410a50d4491eaa530d7117b2a6bcd7a7
: FF ESR68, FF60-73
- with RFP
79b2d7db46565b0503169bc3b30897ef6eb8ec9b
: ESR68, FF67-69, TB 8.5.5 (using stand-in for native colors), TB 9.*74825deab2c0f174bf3c1f2ae190598c1133ee9a
: FF70-73
- Android Firefox (with RFP) and TB (ESR68)
79b2d7db46565b0503169bc3b30897ef6eb8ec9b
= matches ESR68 Windows desktop
Observations
- since flipping RFP (or stand-ins for native colors) changes the fingerprint, some or all of these -moz- colors are already covered
- with RFP/stand-ins, there are changes starting on 70. My best guess is something got deprecated? Same with why ESR60 is different from FF60, something got backported during the ESR cycle?
- between my windows and android there wasn't a difference
- so I guess this is a false alarm, right? i.e I can't see entropy on the same version across platforms (limited platform tests)
Note: I did each test in a new tab when flipping RFP
- Here is my Windows 7, FF71 showing 4 different results
- RFP off, load test page =
d0e261da410a50d4491eaa530d7117b2a6bcd7a7
= correct - turn RFP on, refresh (F5 or even ctrl-F5) =
79b2d7db46565b0503169bc3b30897ef6eb8ec9b
= wrong - leave RFP on, use a new tab (tab2), load test =
74825deab2c0f174bf3c1f2ae190598c1133ee9a
= correct - turn RFP off, stay on tab2, refresh (F5 or ctrl-F5) =
48465e7b3044a7dfa8d030fedded817ffe5444f3
= wrong
Seems weird that the tab seems to cache some values but not others.
Updated•5 years ago
|
Comment 2•5 years ago
|
||
The standins stuff does handle -moz-ButtonDefault, fwiw: https://searchfox.org/mozilla-central/rev/62a130ba0ac80f75175e4b65536290b52391f116/widget/nsXPLookAndFeel.cpp#634
Not sure if it handles all the relevant ones but it looks like we'll never get to NativeGetColor
when using standins: https://searchfox.org/mozilla-central/rev/62a130ba0ac80f75175e4b65536290b52391f116/widget/nsXPLookAndFeel.cpp#911
Comment 3•5 years ago
|
||
Also this should probably be in "CSS Parsing and Computation" or "Widget", the "GFX: Color Management" component is about this other kind of color management :)
Reporter | ||
Comment 4•5 years ago
|
||
There's something going on here. My FF71 with RFP reports 74825deab2c0f174bf3c1f2ae190598c1133ee9a
which seems inconsistent. Note this is not a vanilla profile (and I have a few tweaks, but nothing that should affect this AFAIK)
Reporter | ||
Comment 5•5 years ago
|
||
^^ sorry .. that is correct for FF70+ .. mixing my TB/ESR with stable+
Comment 6•5 years ago
|
||
Moving to Widget as per comment 3.
Reporter | ||
Updated•5 years ago
|
Comment 7•5 years ago
|
||
The priority flag is not set for this bug.
:jimm, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 8•5 years ago
|
||
anti-fingerprinting isn't a priority for us, but we welcome user contributions.
Reporter | ||
Comment 10•5 years ago
|
||
following on from CSS4 system colors: I changed https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#css to split CSS4 system colors out: and show the results under details
Is LinkText
an alias for a moz preset color? I get a different color with 76 nightly Android compared to Windows. The only other one that is different is VisitedText
: but RFP covers that. RFP does not cover LinkText
. All the other CCS4 system colors seems to be the same.
Updated•2 years ago
|
Description
•