Closed Bug 1450561 Opened 6 years ago Closed 8 months ago

Resist screen elements dimensions fingerprinting


(Core :: DOM: Security, enhancement, P5)






(Reporter: kolan_n, Unassigned)


(Blocks 1 open bug)


(Whiteboard: [tor][fingerprinting][domsecurity-backlog1][fp-triaged])

Hello. Some webpages now use screen elements dimensions for determining other elements dimensions. This API in its current state allows fingerprinting. And we cannot remove that API because some webdevs may put the message "Chrom(?:e|ium)(?:-like)? or GT\*O" and will be right. So we need another way.

I wonder if it is possible to render webpages on a virtual screen of fake static resolution (for example even if the whole screen is 1 virtual pixel wide and 1 v. px. high, the websites normalizing sizes on resolutiom should work fine, but surely we need just to take the most widespread not to break the sites expecting integers and making the browsers less unique), making web browser to translate the sizes to the correct ones itself and why such an obvious idea have not been implemented yet. Of course there will be some distortions when rendering raster content, but I guess they are tolerable.
This would be related to our anti-fingerprinting effort (see privacy.resistFingerprinting in about:config).
Component: Tracking Protection → DOM: Security
Product: Firefox → Core
Whiteboard: [fingerprinting]
Priority: -- → P3
Whiteboard: [fingerprinting] → [fingerprinting][domsecurity-backlog1]
Thanks for the interesting idea. But right now, we propose to mitigate the window dimension fingerprinting vector by the "letterboxing" approach, which will be implemented in bug 1407366.
Priority: P3 → P5
See Also: → letterboxing
Whiteboard: [fingerprinting][domsecurity-backlog1] → [tor][fingerprinting][domsecurity-backlog1][fp-triaged]
Severity: normal → S3

As letterboxing is implemented, we don't intend to experiment with this.

Closed: 8 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.