Closed
Bug 1298116
Opened 8 years ago
Closed 8 years ago
To enhance privacy, don't reveal screen dimensions or window position
Categories
(Core :: DOM: CSS Object Model, defect)
Core
DOM: CSS Object Model
Tracking
()
RESOLVED
DUPLICATE
of bug 418986
Tracking | Status | |
---|---|---|
firefox51 | --- | affected |
People
(Reporter: mozilla, Unassigned)
References
()
Details
(Keywords: privacy)
Firefox currently exposes (directly or via trivial calculations) the following information via CSSOM:
* The dimensions of the user's physical screen.
* The location of the browser's window within the screen.
* The total size of the OS's taskbars/menubars/toolbars.
Webpages have no business knowing these things, and I have been unable to come up with any good technical reason they would need to know these things. Only the size of the browser's viewport ought to be relevant to them.
(The size of the screen is relevant in Fullscreen Mode, but in that case the viewport becomes identical to the screen, so again, only the viewport is necessary.)
This information exposes unnecessary fingerprinting vectors, which can aid infringement of the user's privacy.
The CSSOM specification has been recently updated to allow browsers to plug these privacy holes:
https://github.com/w3c/csswg-drafts/commit/dc36ecd7a46b173f958dafa736a84eb9753afb7b
It would be great if Firefox was updated to follow the more privacy-respecting versions of the relevant newly-defined CSSOM terms.
This amounts to pretending, for the purposes of the APIs in question, that the physical screen exactly consists of just the viewport and that there's no chrome/toolbars.
Reporter | ||
Updated•8 years ago
|
Reporter | ||
Updated•8 years ago
|
See Also: → https://bugs.webkit.org/show_bug.cgi?id=161227
Reporter | ||
Updated•8 years ago
|
Comment 1•8 years ago
|
||
We already have "privacy.resistFingerprinting".
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
"privacy.resistFingerprinting" does more than just hide the screen resolution from web content, it also lies about the screen density which means uses with HiDPI screens would get low resolution images served to them instead of high resolution ones.
Reporter | ||
Comment 3•8 years ago
|
||
The thought here was that these APIs are useless/unpopular/disfavored enough that it would be safe to neuter them by default, rather than making it opt-in like "privacy.resistFingerprinting".
I'm rather surprised that Mozilla, the self-styled vanguard of user privacy, gave the coldest reaction out of the FOSS browser vendors.
WebKit seemed positive by comparison: https://twitter.com/smfr/status/769006160602988545
You need to log in
before you can comment on or make changes to this bug.
Description
•