Closed Bug 1475825 Opened 5 years ago Closed 4 years ago
Fingerprinting to true results in a better fingerprint by screen resolution
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20100101 Steps to reproduce: Works with Firefox 61.0.1 and 63.0a1 (the currently latest build). ("privacy.resistFingerprinting" must be set to false for the first run) 1. Go to https://panopticlick.eff.org and checked the fingerprint ("Screen Size and Color Depth" was 5.13 bits of information (value was 1600x900x24)) 2. Set "privacy.resistFingerprinting" to true 3. Test your browser fingerprint again Actual results: The bits of identifying information of the "Screen Size and Color Depth" has gone up to 16.55. Detected screen resolution of 1600x738x24, which is a more unique value than 1600x900x24 (as 1600x900 is a very common screen resolution, 1600x738 is definitely not). Expected results: When activating "resistFingerprinting", the screen size that is reported to websites should be a common value but at least not more identifying than without the resistFingerprinting flag.
Tim, could you confirm whether this bug is valid or not?
It's more like a limitation of the current design of the window dimensions protection. There are two protections should be applied in order to hide the screen resolution including rounding the window size and only report the size of the content viewport for the screen size. However, the rounding only happens during opening a window. So, the browser will report the content viewport size in your case. I believe that the 162 pixels difference is the size of your chrome UI. IMO, we should either add a warning to inform users to restart the browesr for making the protection effective, like Bug 1403747 wants to do, or dynamically round the content viewport like Bug 1407366 wants to do.
Ok, I got it know. When the flag is activated, the property screen.height is actually returning the document's height. So why not just return full hd or 4K (if the actual screen resolution is higher than full hd) for the screen resolution? I mean, a website should never be interested in the screen resolution right? Maybe the document's resolution. Here are some arguments that should be considered please: 1. The style of a website can't rely on the screen properties. If there is some website that relies on the resolution, it will be the document's resolution. 2. Returning an unusual resolution will result in better tracking. Also, there is a practical aspect of this: most users just use their browsers maximized. I'm probably missing something here and I'm sorry for raising the fundamental question: For which purpose does a website need the screen resolution anyway? I only can think of the document's resolution as reasonable.
I tested this on Ubuntu 16.04 with the latest nightly, and it is reproducible. When privacy.resistFingerprinting" is set to true, the value of "Screen Size and Color Depth" looks unique. Test Environment: Version 63.0a1 Build ID 20180718100918 Update Channel nightly User Agent Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Status: UNCONFIRMED → NEW
Component: Untriaged → Window Management
Ever confirmed: true
Product: Firefox → Core
This issue is very like to be fixed by bug 1407366.
Assignee: nobody → tihuang
Depends on: letterboxing
Whiteboard: [tor][fingerprinting] → [tor][fingerprinting][fp-triaged]
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.