Investigate getClientRects for fingerprinting
Categories
(Core :: DOM: CSS Object Model, enhancement, P3)
Tracking
()
People
(Reporter: tjr, Unassigned)
References
(Depends on 1 open bug, Blocks 1 open bug)
Details
(Whiteboard: [tor 29564][fingerprinting][fp-triaged])
Updated•6 years ago
|
Comment 1•6 years ago
|
||
Comment 4•6 years ago
|
||
Reporter | ||
Updated•6 years ago
|
Updated•6 years ago
|
Reporter | ||
Comment 5•6 years ago
|
||
I tested on Firefox Nightly on Windows 10 with RFP enabled.
I found that the following desktop settings affected the output of the DomRect test on https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html
Display -> Change the size of text, apps and other items
Display -> Resolution
The following did not:
Display -> Color Profile (although maybe the test doesn't use colors, I'd have expected this one to affect it...)
I did not test Orientation (too hard) or Nightlight (wrong time of day).
So there is definitely no question that we are leaking device configuration information here; even on Tor Browser where the fonts are fixed.
Comment 6•6 years ago
|
||
Reporter | ||
Comment 7•6 years ago
|
||
https://trac.torproject.org/projects/tor/ticket/29564#comment:4 is a great comment pointing to some pages that have a lot more explicit examples of what exactly clientrect is measuring in rendering. (Comment 6 too)
I'm not sure what TorZillaPrint is rendering; but the pages comment illustrates that rendering browser elements (like selects or progress bars) and MathML and Emoji are other non-font related problems.
At this point it seems very likely to me that we won't be able to neuter this API to return safe data, so we need to either gate it behind a prompt like canvas image extraction or just disable it entirely.
To do that I expect we're going to need to figure out some estimation of what we'll break. We could add telemetry for the APIs. We can examine tracking scripts to see if they use it (from historical crawl data?). We can examine non-tracking scripts to see if it uses it (from fresh crawl data?)
Comment 8•6 years ago
|
||
(In reply to Tom Ritter [:tjr] (On Leave) from comment #7)
I'm not sure what TorZillaPrint is rendering...
FYI: https://ghacksuserjs.github.io/TorZillaPrint/iframes/domrect.html .. which is the same as the domrect test from https://canvasblocker.kkapsner.de/test/ which is based on https://browserleaks.com/rects
Reporter | ||
Comment 9•6 years ago
|
||
With the help of Steve, we ran a quick OpenWPM scan looking for usages of getClientRects and related. The results I found, based on the un-minified function names, are all focused on visibility checking; so I am lead to believe that at this time it's not used for fingerprinting.... much?
Reporter | ||
Comment 10•6 years ago
|
||
(In reply to Tom Ritter [:tjr] (On Leave) from comment #5)
I tested on Firefox Nightly on Windows 10 with RFP enabled.
I found that the following desktop settings affected the output of the DomRect test on https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html
Display -> Change the size of text, apps and other items
This is now Bug 1538718
Display -> Resolution
This I think was a misdirect, not understanding all the properties.
Comment 11•5 years ago
|
||
GPU or such doesn't affect getBoundingClientRect and co. DPI does though.
Updated•2 years ago
|
Description
•