Keyboard layout still leaked by keydown/keyup event "which" value

RESOLVED FIXED in Firefox 60

Status

()

defect
P2
normal
RESOLVED FIXED
2 years ago
5 months ago

People

(Reporter: ke5trel, Assigned: arthur)

Tracking

(Blocks 1 bug)

60 Branch
mozilla60
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox60 fixed)

Details

(Whiteboard: [fingerprinting])

Attachments

(1 attachment)

I tested latest Nightly with resistFingerprinting enabled on Ubuntu 17.10, switched keyboard layout in the OS and got the following results:

> keydown/keyup:
> QWERTY   key: "   code: Quote   which: 222
> AZERTY   key: "   code: Quote   which: 51
> 
> keypress:
> QWERTY   key: "   code: Quote   which: 34
> AZERTY   key: "   code: Quote   which: 34

From these results the keyboard layout still appears to be leaked through the keydown/keyup event "which" value.
Any thoughts?
Flags: needinfo?(arthuredelstein)
Nice one!
Assignee: nobody → arthuredelstein
Flags: needinfo?(arthuredelstein)
Priority: -- → P2
Blocks: 1439784
Here's a bug to fix this missing piece from 1222285. I want to add some new tests for KeyboardEvent.which, but the existing test design won't work because synthesizeKey does not synthesize the .which property and fixing the tests is going to be somewhat complex. I manually tested this patch and the .which property is correctly spoofed.

try results: https://treeherder.mozilla.org/#/jobs?repo=try&revision=3c973472eecc

(I have opened bug 1439784 to deal with rewriting the KeyboardEvent spoofing tests, but I would suggest we land this patch when it is ready so that it lands in time for Firefox 60.)
Attachment #8952583 - Flags: review?(masayuki)
Thanks for quick the review!
Keywords: checkin-needed
This patch needs a DOM reviewer.
Flags: needinfo?(arthuredelstein)
The DOM reviewer is needed for the webidl change.
Keywords: checkin-needed
Flags: needinfo?(arthuredelstein)
Attachment #8952583 - Flags: review?(bugs)
Attachment #8952583 - Flags: review?(bugs) → review+
Thanks!
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/69a621b7ba50
Spoof KeyboardEvent.which for privacy.resistFingerprinting. r=masayuki, r=smaug
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/69a621b7ba50
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Component: Event Handling → User events and focus handling
You need to log in before you can comment on or make changes to this bug.