mozFullScreen leaks exact screen resolution
Categories
(Core :: Window Management, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox61 | --- | affected |
People
(Reporter: tjr, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fingerprinting][fp-triaged])
Attachments
(1 file)
1.06 KB,
text/plain
|
Details |
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Comment 3•7 years ago
|
||
Comment 4•7 years ago
|
||
Comment 5•7 years ago
|
||
Comment 6•6 years ago
|
||
Reporter | ||
Updated•6 years ago
|
Comment 7•5 years ago
|
||
(In reply to Arthur Edelstein [:arthur] from comment #4)
In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it.
In fullscreen mode, the viewport would be restricted to rounded dimensions,
so that some extra space around the outside would be left "black". We could
also magnify this viewport such that we have "letterbox" or "pillbox" mode.
Note that letterboxing (Bug 1407366) does not address this issue - see Tor Ticket https://trac.torproject.org/projects/tor/ticket/32713
Comment 8•5 years ago
|
||
After testing the letterboxing now for a while via privacy.resistFingerprinting.letterboxing set to true and noticing that it does not apply on fullscreen mode here are my thoughts about this:
(In reply to Simon Mainey from comment #7)
Note that letterboxing (Bug 1407366) does not address this issue - see Tor Ticket https://trac.torproject.org/projects/tor/ticket/32713
From my understanding it does currently not address this issue as letterboxing is simply not being applied to fullscreen content (and not for other technical resons) but it would address this issue if letterboxing would be applied to fullscreen content. Feel free to correct me if I'm wrong here.
So we have 3 options:
- Permission dialog when entering fullscreen.
- Letterboxing on fullscreen.
- Letting the user decide via a setting in about:config to choose option 1 or 2.
- The first solution has the disadvantage that it requires offering fingerprintable entropy to the website if the user decides to watch fullscreen content - this effectively blocks users out of this content who don't want this.
- The second solution adds just the letterboxing (as we currently have for non-fullscreen) to fullscreen content. Sites/video players will just work transparently as usual and it should not even upset users additionally since any other web content is already letterboxed for them anyway - this is even what they probably would expect. This solution would also offer less fingerprintable entropy to a website when watching fullscreen content.
Updated•2 years ago
|
Description
•