Closed Bug 1448848 Opened 7 years ago Closed 2 years ago

privacy.resistFingerprinting should not affect screen coordinates for extensions/content scripts

Categories

(WebExtensions :: General, defect, P3)

Product:
WebExtensions
Component:
General
Version:
59 Branch
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: robbendebiene, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [fingerprinting][fp-triaged]) 

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180315233128

Steps to reproduce:

Hi, I'm the developer of Gesturefy (a mouse gesture extension).
Recently I got some reports from several users that my addon breaks if they have set privacy.resistFingerprinting to true. This is because I (at least for iframes) rely ond the screenX and screenY properties, which are spoofed to 0 if the preference is enabled.

Some related bugs I've found:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1382499
- https://bugzilla.mozilla.org/show_bug.cgi?id=1377744



Expected results:

Since extension is a peace of software which the users either trusts (installs it) or distrusts (doesn't install it), I would expect that extension are not affected by this setting / are able to get the true values and properties.

I have no clue about the implemntation details, but since there are some web APIs which are provided to priviledged code only, I could imagine the same thing for properties changed by privacy.resistFingerprinting.
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Yes, we intend to exempt extensions from Resist Fingerprinting protections.  Depending on how your extension operates, it may be difficult to distinguish the extension from the web content however. Can you provide a little more information about what the extension does to read these values?
Whiteboard: [fingerprinting-breakage]
In my case I'm listening for mouse events like mousemove or mousedown in a content script. These events provide the necessary screenX and screenY values, which are spoofed if resistFingerprinting is turned on.
Is this enough information? I can also create a little example addon to demonstrate it, if there is a need for it.
Thanks! I read up on content scripts - it looks like it should be safe to relax Resist Fingerprinting for them; since the website itself can't access its variables or methods or things.
Priority: -- → P3
Product: Toolkit → WebExtensions
Blocks: fingerprinting-breakage
Whiteboard: [fingerprinting-breakage] → [fingerprinting]
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]

This affects to a sidebar panel also, for example Tree Style Tab. TST provides ability to detach a tab from the window by drag and drop to outside of the sidebar area. This function is based on window coordinates and event coordinatess, so dropped tabs cannot be detached when privacy.resistFingerprinting is true because such actions are always detected as: "the dropped position is [0,0] and the sidebar area is placed at [0,0] so the tab was dropped in the sidebar area".

Severity: normal → S3

I've confirmed that the Tree Style Tabs variant of this bug still happens with testGranularityMask = 0 and is fixed with testGranularityMask = 7. So while we haven't rolled the behavior out by default (when RFP is true) - we will be fixing this when we roll that out.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.