Open Bug 1448848 Opened 2 years ago Updated 5 months ago

privacy.resistFingerprinting should not affect screen coordinates for extensions/content scripts

Categories

(WebExtensions :: General, defect, P3)

59 Branch
defect

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: robbendebiene, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [fingerprinting][fp-triaged])

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Build ID: 20180315233128

Steps to reproduce:

Hi, I'm the developer of Gesturefy (a mouse gesture extension).
Recently I got some reports from several users that my addon breaks if they have set privacy.resistFingerprinting to true. This is because I (at least for iframes) rely ond the screenX and screenY properties, which are spoofed to 0 if the preference is enabled.

Some related bugs I've found:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1382499
- https://bugzilla.mozilla.org/show_bug.cgi?id=1377744



Expected results:

Since extension is a peace of software which the users either trusts (installs it) or distrusts (doesn't install it), I would expect that extension are not affected by this setting / are able to get the true values and properties.

I have no clue about the implemntation details, but since there are some web APIs which are provided to priviledged code only, I could imagine the same thing for properties changed by privacy.resistFingerprinting.
Component: Untriaged → WebExtensions: General
Product: Firefox → Toolkit
Yes, we intend to exempt extensions from Resist Fingerprinting protections.  Depending on how your extension operates, it may be difficult to distinguish the extension from the web content however. Can you provide a little more information about what the extension does to read these values?
Whiteboard: [fingerprinting-breakage]
In my case I'm listening for mouse events like mousemove or mousedown in a content script. These events provide the necessary screenX and screenY values, which are spoofed if resistFingerprinting is turned on.
Is this enough information? I can also create a little example addon to demonstrate it, if there is a need for it.
Thanks! I read up on content scripts - it looks like it should be safe to relax Resist Fingerprinting for them; since the website itself can't access its variables or methods or things.
Priority: -- → P3
Product: Toolkit → WebExtensions
Whiteboard: [fingerprinting-breakage] → [fingerprinting]
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]
You need to log in before you can comment on or make changes to this bug.