Open Bug 1450401 Opened 2 years ago Updated 7 months ago

mozFullScreen leaks exact screen resolution

Categories

(Core :: Window Management, enhancement, P3)

enhancement

Tracking

()

Tracking Status
firefox61 --- affected

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fingerprinting][fp-triaged])

Attachments

(1 file)

Attached file POC.html
Using mozFullScreen and any user interaction a malicious website can send you into fullscreen and grab the window dimensions (and then kick you out of full screen if they want to.)

We have a few options here. The full screen API is asynchronous, so we could throw a permission prompt before going into Full-Screen if one is in Resist Fingerprinting mode.

Alternately, we could resolve Bug 1407366.

Given that this leaks the screen resolution, and those dimensions are not unique-per-user this is a leak we want to fix, but not an extraordinary leak.
Statistics: https://hardware.metrics.mozilla.com/
I don't think Bug 1407366 is a good fit for this because it would block FS, which is specifically what end users want, eg on signed in accounts such as Netflix watching videos. This would cause a barrier to uptake IMO.

+1 for permission prompt (also see: maximizing the screen warning prompt - Bug 1403747).

I can see prompt fatigue becoming an issue. Not that I want users to easily forget/bypass all prompts, otherwise the whole purpose of warning them is pointless. But consider users who repeatedly go FS on eg Netflix, Youtube etc. Suggest that we use site exceptions similar to canvas, default ask.

I wonder what Arthur thinks?
Wouldn't it be better to disable access to the window dimensions in this case if privacy.resistFingerprinting is set to true?
Edit: Probably that would not work so well as sites might get the dimensions with other tricks then (like creating a 100% wide element) and trying to disable the read-access to all related attributes would break then pretty much (I assume this is also the reason why the window dimensions are currently normalized with privacy.resistFingerprinting set to true).
(In reply to Simon Mainey from comment #1)
> I don't think Bug 1407366 is a good fit for this because it would block FS,
> which is specifically what end users want, eg on signed in accounts such as
> Netflix watching videos. This would cause a barrier to uptake IMO.

In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it. In fullscreen mode, the viewport would be restricted to rounded dimensions, so that some extra space around the outside would be left "black". We could also magnify this viewport such that we have "letterbox" or "pillbox" mode.

> I wonder what Arthur thinks?

In the long term, I would prefer a solution like 1407366. But if we want a stopgap with a warning/permission dialog, that seems reasonable to me.
(In reply to Arthur Edelstein (Tor Browser dev) [:arthuredelstein] from comment #4)
> In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it. In fullscreen mode, the viewport would be restricted

Ahh, the viewport. Got it.

I keep forgetting we have two hats here, Firefox and TBB. Enforcing behavior in TBB is fine, but creating blocks to uptake in Firefox is problematic. Letterboxing the viewport will upset users. For FF the prompt/permission is more than enough IMO.
Priority: P5 → P3
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]
You need to log in before you can comment on or make changes to this bug.