Open Bug 1377744 Opened 2 years ago Updated 4 months ago

privacy.resistfingerprinting's UTC timezone should not affect extensions

Categories

(WebExtensions :: General, defect, P3)

55 Branch
defect

Tracking

(Not tracked)

People

(Reporter: ke5trel, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [fp-triaged][alarms][fingerprinting])

Installed Grandfather Fox WebExtension and noticed it had the wrong time and was using UTC.

https://addons.mozilla.org/en-US/firefox/addon/grandfather-fox/

This particular extension gets the time in a background script.

Extensions should not be affected by anti-fingerprinting measures.
Blocks: 1330890
Whiteboard: [fingerprinting]
Component: General → Add-ons Manager
Product: Core → Toolkit
Component: Add-ons Manager → WebExtensions: General
(In reply to Kestrel from comment #0)
> Installed Grandfather Fox WebExtension and noticed it had the wrong time and
> was using UTC.
> https://addons.mozilla.org/en-US/firefox/addon/grandfather-fox/
> This particular extension gets the time in a background script.
> Extensions should not be affected by anti-fingerprinting measures.

Hi Kestrel,

The pref privacy.resistfingerprinting is off by default.
Did you turn on this pref manually?

Add Tim to CC.  He did the timezone fingerprinting patch in bug 1330890.
Flags: needinfo?(kestrel)
Priority: -- → P3
Whiteboard: [fingerprinting] → [fingerprinting][alarms]
Yes I enabled privacy.resistfingerprinting manually and I expected it to break websites but not extensions. Another more notable example is the Snooze Tabs Test Pilot Experiment which fails to restore tabs at the expected time.
Flags: needinfo?(kestrel)
Thanks for the confirmation.

We plan to fix this issue by two steps:
1. Write a test case to make sure every timezone value has been spoofed correctly.
2. Move the implementation from TZ value to JavaScript level.

We could file a new bug for step 1, or do it in this bug.
I'll let Tim make the decision.
Assignee: nobody → tihuang
Whiteboard: [fingerprinting][alarms] → [fingerprinting-breakage][alarms]
Product: Toolkit → WebExtensions
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [fingerprinting-breakage][alarms] → [alarms]
Whiteboard: [alarms] → [alarms][fingerprinting]
Whiteboard: [alarms][fingerprinting] → [fp-triaged][alarms][fingerprinting]
Assignee: tihuang → nobody
Status: ASSIGNED → NEW
Have folks thought about how this interacts with extensions such as 
Change Timezone (Time Shift)
and Spoof Timezone?

(I'm thinking about trade-offs, as being on UCT time certainly was very confusing before I figured out (by googling) why webmail and such were showing confusing times, but I understand the benefit, and maybe it'll be far less confusing now that I can expect it!)
(In reply to Matthew Elvey from comment #4)
> Have folks thought about how this interacts with extensions such as 
> Change Timezone (Time Shift)
> and Spoof Timezone?

Good question. I think, just like UA spoofing extensions can be used to override RFP, Time Spoofing extensions do the same, because they are the last to modify the data going out? Maybe you could do a test? If this was the case, then an extension with whitelisting would allow users to not get confused with various sites such as venue/concert/show times, gmail timestamps etc. Or maybe at some stage RFP will build in a site permission same as they did with Canvas, see Bug 1426232

But that's all to do with websites. This ticket is about RFP features not impacting extensions themselves, see Bug 1450398
You need to log in before you can comment on or make changes to this bug.