Open Bug 1450401 Opened 7 years ago Updated 5 months ago

mozFullScreen leaks exact screen resolution

Categories

(Core :: Window Management, enhancement, P3)

Product:
Core
Component:
Window Management
Type:
enhancement

Tracking

()

Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fingerprinting][fp-triaged])

Attachments

(1 file)

POC.html
1.06 KB, text/plain
Details
Attached file POC.html
Using mozFullScreen and any user interaction a malicious website can send you into fullscreen and grab the window dimensions (and then kick you out of full screen if they want to.) We have a few options here. The full screen API is asynchronous, so we could throw a permission prompt before going into Full-Screen if one is in Resist Fingerprinting mode. Alternately, we could resolve Bug 1407366. Given that this leaks the screen resolution, and those dimensions are not unique-per-user this is a leak we want to fix, but not an extraordinary leak. Statistics: https://hardware.metrics.mozilla.com/
I don't think Bug 1407366 is a good fit for this because it would block FS, which is specifically what end users want, eg on signed in accounts such as Netflix watching videos. This would cause a barrier to uptake IMO. +1 for permission prompt (also see: maximizing the screen warning prompt - Bug 1403747). I can see prompt fatigue becoming an issue. Not that I want users to easily forget/bypass all prompts, otherwise the whole purpose of warning them is pointless. But consider users who repeatedly go FS on eg Netflix, Youtube etc. Suggest that we use site exceptions similar to canvas, default ask. I wonder what Arthur thinks?
Wouldn't it be better to disable access to the window dimensions in this case if privacy.resistFingerprinting is set to true?
Edit: Probably that would not work so well as sites might get the dimensions with other tricks then (like creating a 100% wide element) and trying to disable the read-access to all related attributes would break then pretty much (I assume this is also the reason why the window dimensions are currently normalized with privacy.resistFingerprinting set to true).
(In reply to Simon Mainey from comment #1) > I don't think Bug 1407366 is a good fit for this because it would block FS, > which is specifically what end users want, eg on signed in accounts such as > Netflix watching videos. This would cause a barrier to uptake IMO. In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it. In fullscreen mode, the viewport would be restricted to rounded dimensions, so that some extra space around the outside would be left "black". We could also magnify this viewport such that we have "letterbox" or "pillbox" mode. > I wonder what Arthur thinks? In the long term, I would prefer a solution like 1407366. But if we want a stopgap with a warning/permission dialog, that seems reasonable to me.
(In reply to Arthur Edelstein (Tor Browser dev) [:arthuredelstein] from comment #4) > In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it. In fullscreen mode, the viewport would be restricted Ahh, the viewport. Got it. I keep forgetting we have two hats here, Firefox and TBB. Enforcing behavior in TBB is fine, but creating blocks to uptake in Firefox is problematic. Letterboxing the viewport will upset users. For FF the prompt/permission is more than enough IMO.
Priority: P5 → P3
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]

(In reply to Arthur Edelstein [:arthur] from comment #4)

In principle, Bug 1407366 doesn't block fullscreen -- it merely modifies it.
In fullscreen mode, the viewport would be restricted to rounded dimensions,
so that some extra space around the outside would be left "black". We could
also magnify this viewport such that we have "letterbox" or "pillbox" mode.

Note that letterboxing (Bug 1407366) does not address this issue - see Tor Ticket https://trac.torproject.org/projects/tor/ticket/32713

After testing the letterboxing now for a while via privacy.resistFingerprinting.letterboxing set to true and noticing that it does not apply on fullscreen mode here are my thoughts about this:

(In reply to Simon Mainey from comment #7)

Note that letterboxing (Bug 1407366) does not address this issue - see Tor Ticket https://trac.torproject.org/projects/tor/ticket/32713

From my understanding it does currently not address this issue as letterboxing is simply not being applied to fullscreen content (and not for other technical resons) but it would address this issue if letterboxing would be applied to fullscreen content. Feel free to correct me if I'm wrong here.

So we have 3 options:

  1. Permission dialog when entering fullscreen.
  2. Letterboxing on fullscreen.
  3. Letting the user decide via a setting in about:config to choose option 1 or 2.
  • The first solution has the disadvantage that it requires offering fingerprintable entropy to the website if the user decides to watch fullscreen content - this effectively blocks users out of this content who don't want this.
  • The second solution adds just the letterboxing (as we currently have for non-fullscreen) to fullscreen content. Sites/video players will just work transparently as usual and it should not even upset users additionally since any other web content is already letterboxed for them anyway - this is even what they probably would expect. This solution would also offer less fingerprintable entropy to a website when watching fullscreen content.
Severity: normal → S3

I knew there was a ticket for this already where I was even active - I almost created a new one.

Now after all the betterboxing changes in Firefox 137 is there actually any technical reason that speaks against just applying letterboxing to fullscreen content as well if privacy.resistFingerprinting.letterboxing is set to true? I couldn't figure out yet what would speak against it.

Flags: needinfo?(tom)

Now after all the betterboxing changes in Firefox 137 is there actually any technical reason that speaks against just applying letterboxing to fullscreen content as well if privacy.resistFingerprinting.letterboxing is set to true? I couldn't figure out yet what would speak against it.

[Tor hat, not Mozilla hat, but personal opinion]
A technical reason? No, we (tor) could implement that if we wanted to.

What's the advantage of letterboxing if you're in fullscreen? Your monitor resolution is, in 99.5% of times, a standard resolution offered by a lot of monitors. Some may be more popular than others, but even if you're 800 x 480, that's more common than 740 x 440 or whatever it would be if we letterboxed that resolution down one step.

Flags: needinfo?(tom)

[Tor hat]

It's not hard to extrapolate with a high degree of certainty, what your real screen size is if you are fullscreen (F11), so the same would apply with LBing fullScreenElement. That's at 100% zoom and ideally the system scaling at something common - it's not always that easy. LB makes it harder by masking the real value.

The question is do we want to do this to fullScreenElement? It's behind a user action (and sites that did it without being transparent would scare users away). Do we want users in a fullscreen video that is already letterboxed due to aspect ratio, then be letterboxed again? Could we exempt video only? Would video then leak?

Sometimes it's better to educate and allow functionality and usability for end users, who are required in large numbers to create your "crowd".

edit: we could put fullScreenElement behind a prompt similar to fullscreen (F11) without LBing in tor browser - the prompt is to educate/warn but can also be disabled so as to not annoy the user

(In reply to Thorin [:thorin] from comment #13)

It's not hard to extrapolate with a high degree of certainty, what your real screen size is if you are fullscreen (F11), so the same would apply with LBing fullScreenElement.

As more the website has to guess as less useful the emited entropy for them is - even if it helps just a tiny bit in this case. And we would protect the small subset of users that have very unusual screen sizes.

(In reply to Thorin [:thorin] from comment #13)

It's behind a user action (and sites that did it without being transparent would scare users away).

Unfortunately it is already too late then.

(In reply to Thorin [:thorin] from comment #13)

edit: we could put fullScreenElement behind a prompt similar to fullscreen (F11) without LBing in tor browser - the prompt is to educate/warn but can also be disabled so as to not annoy the user

Personally I also could live with that solution. I just have always to decline such prompts if they appear unintentionally.
(Preferably with an always-decline and never ask again option if that doesn't emit extra entropy. But I'm also used to always click the canvas prompt away, for example every time somebody pings me in Discord :) )

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: