Remove permissions along with site data
Categories
(Toolkit :: Data Sanitization, enhancement, P3)
Tracking
()
People
(Reporter: annevk, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Reporter | ||
Comment 3•7 years ago
|
||
Comment 4•7 years ago
|
||
Comment 5•7 years ago
|
||
Comment 6•7 years ago
|
||
Comment 7•7 years ago
|
||
Comment 8•6 years ago
|
||
I think I follow the concerns that permissions are an explicit user choice and the fact that a permission for the site is present does not make an extended fingerprinting vector for non-resistFingerprinting use cases.
If the permission is directly queryable this is a flaw in the permissions API that we might want to address separately.
Updated•6 years ago
|
Comment 9•6 years ago
|
||
If the permission is directly queryable this is a flaw in the permissions API that we might want to address separately
re: Permissions API [1]
for (const a of [ 'accelerometer', 'accessibility-events', 'ambient-light-sensor',
'background-sync', 'camera', 'clipboard-read', 'clipboard-write', 'geolocation',
'gyroscope', 'magnetometer', 'microphone', 'midi', 'notifications', 'payment-handler',
'persistent-storage', 'push' ]) navigator.permissions.query({name:a}).then(e =>
console.log("permission for", a, ":", e.state)).catch(console.log);
Currently only geolocation, notifications, push and persistent-storage return values and might be worthwhile as FP'able metrics. See [2]: geolocation is a good metric (at the end of the languages/locale section). persistent-storage (in the cookies/storage section) always returns the prompt reply (or stored site exception) and is not a stable metric.
So yes, some permissions are directly queryable if someone wants to open a ticket for it
[1] https://developer.mozilla.org/en-US/docs/Web/API/Permissions/query
[2] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html
Comment 10•6 years ago
|
||
pinging Ethan so someone from Tor Uplift is aware
Comment 11•6 years ago
|
||
This is both a disk hacking and fingerprinting issue. Let's reopen this bug to keep track of it.
Comment 12•6 years ago
|
||
I don't see how this bug is a problem for Tor browser. Permissions are not stored on disk in Tor (if they were it would be another bug, but not this one). Ethan, can you please elaborate how this is relevant to Tor?
Comment 9 does not present an argument to re-opening this bug. As I said in comment 8, I'm aware that permission states are queryable but this should be solved on the Permissions API level, either by discussing at the spec level or (more likely) by updating permissions.query to always return "prompt" when RFP is enabled.
If these are issues of relevance for Tor browser please file them separately, I'm 99% certain that this bug is not relevant to you.
Comment 13•6 years ago
|
||
Johann, I didn't think of it clearly enough while re-opening the bug. Thanks for the clarification.
Comment 14•6 years ago
|
||
(In reply to Ethan Tseng [:ethan] from comment #13)
Johann, I didn't think of it clearly enough while re-opening the bug. Thanks for the clarification.
As Johann said "... or (more likely) by updating permissions.query to always return "prompt" when RFP is enabled", which is why I pinged you, to possibly create a ticket. While it doesn't affect Tor Browser (site permissions are session only, and they can enforce their defaults etc), it does affect Firefox
If you create a ticket, cc me in (if you remember), thanks
Description
•