Closed Bug 1507280 Opened 7 years ago Closed 11 months ago

Ensure the reporting URI respects Resist Fingerprinting wrt locale

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox132 --- fixed

People

(Reporter: tjr, Assigned: fkilic)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fingerprinting][fp-triaged][domsecurity-backlog])

Attachments

(2 files)

Bug 1507280: Change GetLocalizedString to GetMaybeLocalizedString in deprecation warnings. r?tjr
48 bytes, text/x-phabricator-request
Details | Review
app lang leak.png
42.75 KB, image/png
Details
There was a comment on irc that the Reporting API will send localized strings; so we should ensure that this respects Resist Fingerprinting's locale stuff.
Priority: -- → P3
Whiteboard: [fingerprinting]
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]
Whiteboard: [fingerprinting][fp-triaged] → [fingerprinting][fp-triaged][domsecurity-backlog]
Blocks: 1620573
Severity: normal → S3

This seems to be true, I set my language to Turkish and visited https://mdn.github.io/dom-examples/reporting-api/deprecation_report.html, and it does show the error in turkish

Assignee: nobody → fkilic
Status: NEW → ASSIGNED

This patch only covers DeprecationReportBody, because only DeprecationReportBody and InterventionReportBody has a message property and InterventionReportBody is not implemented. So it covers everything.

This seems to be true, I set my language to Turkish and visited https://mdn.github.io/dom-examples/reporting-api/deprecation_report.html, and it does show the error in turkish

because you said you were turkish (navigator, lang accept header). The real test would be if you were turkish app language, but spoofed as english (which is broken in Firefox, you will need to use TB)

which is broken in Firefox

Oh I didn't know sorry.

Now I tried Tor with spoof english=2 (basically agreed to spoof to english prompt), media.navigator.enabled=true and turkish and still got turkish error message. So seems like Tor is affected as well.

I can't replicate: using TB alpha (based on ESR128)

control

  • english app lang (apply and restart if required)
  • spoof english = 1 (or 0)
  • page: show reports - clicking it does nothing
  • console: Uncaught ReferenceError: ReportingObserver is not defined - Learn more link is in english

test

  • turkish app lang (apply and restart)
  • spoof english = 2
  • page: show reports - clicking it does nothing
  • console: Uncaught ReferenceError: ReportingObserver is not defined - Learn more link is in turkish

also, because tor browser is built without webrtc, media.navigator.enabled will cause enumeration of devices to never resolve (yup, I had it set to true)

how do I replicate getting a report? And I tried playing the media file

Oh yeah sorry, I forgot to mention, you also have to enable dom.reporting.enabled to enable ReportingObserver API.

so TB is not affected since dom.reporting.enabled = false? Actually dom.reporting.enabled is false in FF by default as well, including Nightly.

Yes true, I think it is set to false because of some thread/process issues. I don't know if it is under development or not and whether it will be enabled soon.

Attached image app lang leak.png

confirmed app language leak when Reporting Observer is enabled

Pushed by fkilic@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/60e835b2bf26 Change GetLocalizedString to GetMaybeLocalizedString in deprecation warnings. r=tjr

https://hg.mozilla.org/mozilla-central/rev/60e835b2bf26

Status: ASSIGNED → RESOLVED
Closed: 11 months ago
status-firefox132: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: