Neutralize the threat of fingerprinting of geolocation API when 'privacy.resistFingerprinting' is true

RESOLVED FIXED in Firefox 56

Status

()

enhancement
P1
normal
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: timhuang, Assigned: timhuang)

Tracking

(Blocks 1 bug)

unspecified
mozilla56
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox56 fixed)

Details

(Whiteboard: [fingerprinting][tor][fp:m2])

Attachments

(2 attachments)

(Assignee)

Description

2 years ago
The geolocation API can show the location of a given user, which is a fingerprinting vector. So, we want to find a way to nerturalize the possibility of fingerprinting when 'privacy.resistFingerprinting' is on.

Although, it requires the permission from the user to access this API. But, if users have granted this permission before 'privacy.resistFingerprinting' is on, then the website can still access this API without informing the user. Or a user may grant this incautiously. Both cases are what we don't want to see when 'privacy.resistFingerprinting' is on. 

Ehsan has suggested that we can use a similar way of Bug 1072859 that throwing an exception when the API entry points are called.
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 3

2 years ago
mozreview-review
Comment on attachment 8886081 [details]
Bug 1372069 - Part 1: Disable Geolocation when 'privacy.resistFingerprinting' is true.

https://reviewboard.mozilla.org/r/156888/#review162004
Attachment #8886081 - Flags: review?(bugs) → review+

Comment 4

2 years ago
mozreview-review
Comment on attachment 8886082 [details]
Bug 1372069 - Part 2: Add a test case for making sure geolocation API has been disabled correctly when 'privacy.resistFingerprinting' is true.

https://reviewboard.mozilla.org/r/156890/#review162006
Attachment #8886082 - Flags: review?(bugs) → review+
Comment hidden (mozreview-request)

Comment 6

2 years ago
mozreview-review
Comment on attachment 8886081 [details]
Bug 1372069 - Part 1: Disable Geolocation when 'privacy.resistFingerprinting' is true.

https://reviewboard.mozilla.org/r/156888/#review162330
Attachment #8886081 - Flags: review?(arthuredelstein) → review+

Comment 7

2 years ago
mozreview-review
Comment on attachment 8886082 [details]
Bug 1372069 - Part 2: Add a test case for making sure geolocation API has been disabled correctly when 'privacy.resistFingerprinting' is true.

https://reviewboard.mozilla.org/r/156890/#review162332
Attachment #8886082 - Flags: review?(arthuredelstein) → review+
Priority: -- → P1

Comment 9

2 years ago
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/a450b50c2222
Part 1: Disable Geolocation when 'privacy.resistFingerprinting' is true. r=arthuredelstein,smaug
https://hg.mozilla.org/integration/autoland/rev/5cc6976b59ce
Part 2: Add a test case for making sure geolocation API has been disabled correctly when 'privacy.resistFingerprinting' is true. r=arthuredelstein,smaug
Keywords: checkin-needed

Comment 10

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/a450b50c2222
https://hg.mozilla.org/mozilla-central/rev/5cc6976b59ce
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
See Also: → 1403813
Verified on Mac OS 10.12.6 with Nightly 58.0a1 (2017-10-25) (64-bit)

Verification steps:
##### Test case 1:
1. Go to https://www.w3schools.com/html/tryit.asp?filename=tryhtml5_geolocation
2. Click on "Try it"
3. In the pop-up, allow website to receive your location

Expected result:
The website displays your correct location

Actual result:
Same as expected result.


##### Test case 2:
1. Go to https://www.w3schools.com/html/tryit.asp?filename=tryhtml5_geolocation
2. Click on "Try it"
3. In the pop-up, allow website to receive your location, and check the "Remember this decision" checkbox

Expected result:
The website displays your correct location

Actual result:
Same as expected result.



##### Test case 3:
1. Set preference parameter privacy.resistFingerprinting to true
2. Go to https://www.w3schools.com/html/tryit.asp?filename=tryhtml5_geolocation
3. Click on "Try it"

Expected result:
No pop-up asking for location permission is displayed. Website is unable to print your location

Actual result:
Same as expected result.
You need to log in before you can comment on or make changes to this bug.