Closed Bug 1511941 Opened 2 years ago Closed 1 year ago

privacy.resistfingerprinting performance API spoofing breaks vimeo.com

Categories

(Core :: DOM: Security, defect, P2)

Product:
Core
Component:
DOM: Security
Version:
65 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox65 --- wontfix
firefox75 --- wontfix
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- fixed

People

(Reporter: ke5trel, Assigned: me)

References

(Blocks 1 open bug, Regression,
URL
)

Details

(Keywords: regression, Whiteboard: [fingerprinting][fp-triaged][sci-exclude][domsecurity-active])

Attachments

(1 file)

Bug 1511941 - Don't expose PerformanceNavigationTiming in RFP mode r?tjr
47 bytes, text/x-phabricator-request
Details | Review 
Console error:
> TypeError: t[0] is undefined; can't access its "startTime" property

Code responsible:

d=function() {
  var e = window.performance;
  if (!e)
    return 0;
  if (window.PerformanceNavigationTiming) {
    var t = e.getEntriesByType("navigation");
    return t[0].startTime;
  }
  return e.timing.navigationStart;
}
Oh, this should be easy; we shouldn't expose PerformanceNavigationTiming if we don't support it. We should also check Resource Timing.
Vimeo have fixed it at their end by adding an extra check:

> return t && t.length ? t[0].startTime : 0;
Priority: -- → P2
(In reply to Kestrel from comment #2)
> Vimeo have fixed it at their end by adding an extra check: 
> > return t && t.length ? t[0].startTime : 0;

Does this mean we can close this bug as resolved worksforme?
Flags: needinfo?(ke5trel)
No, I think we should do what I specify in Comment 1 to be spec-compliant.
Flags: needinfo?(ke5trel)
(In reply to Tom Ritter [:tjr] from comment #4)
> No, I think we should do what I specify in Comment 1 to be spec-compliant.

Thanks for clarification.
Assignee: nobody → ettseng
Whiteboard: [fingerprinting] → [fingerprinting][fp-triaged]
Component: DOM → DOM: Core & HTML
Whiteboard: [fingerprinting][fp-triaged] → [fingerprinting][fp-triaged][sci-exclude]
No longer blocks: 1369303
Keywords: regression
Regressed by: 1369303

I've detected a new website that is broken by resistfingerprinting.

Is there an issue that centralizes all broken websites?

Or do we create one issue per website?

(In reply to monperrus from comment #6)

Is there an issue that centralizes all broken websites?

File and new bug and set the "Blocks" field to "fingerprinting-breakage" (Bug 1507517).

Component: DOM: Core & HTML → DOM: Security

Hey Kestrel,
Tim and I are checking this issue. We couldn't see the console error in comment 0.
Please feel free to re-open it if you're still able the reproduce the problem.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(ke5trel)
Resolution: --- → WORKSFORME

I already verified that Vimeo fixed it at their end in Comment 2 but Comment 4 recommended leaving this bug open to address the underlying issue.

Flags: needinfo?(ke5trel)

(In reply to Kestrel from comment #9)

I already verified that Vimeo fixed it at their end in Comment 2 but Comment 4 recommended leaving this bug open to address the underlying issue.

Sorry, I totally missed the previous comments.
Tim, could you take a look to see if we can do what Tom suggested in comment 1?

Flags: needinfo?(tihuang)
Assignee: ettseng → tihuang
Status: RESOLVED → REOPENED
Flags: needinfo?(tihuang)
Resolution: WORKSFORME → ---
Whiteboard: [fingerprinting][fp-triaged][sci-exclude] → [fingerprinting][fp-triaged][sci-exclude][domsecurity-active]

In RFP mode, we do not support PerformanceNavigationTiming, so don't expose
it. In particular, window.PerformanceNavigationTiming should return
undefined.

Added a new method PerformanceNavigationTiming::Enabled which when used with
the WebIDL Func attribute allows us to toggle whether
window.PerformanceNavigationTiming is exposed.

Created
dom/tests/mochitest/general/test_toggling_performance_navigation_timing.html
to test whether the toggling works.

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/61463834bff6
Don't expose PerformanceNavigationTiming in RFP mode r=tjr,baku

https://hg.mozilla.org/mozilla-central/rev/61463834bff6

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78

browser_performanceAPI.js

      "For reduceTimerPrecision, there should be 4 entries for performance.getEntries()"
      // PerformanceNavigationTiming, PerformanceMark, PerformanceMark, PerformanceMeasure

Doesn't seem right?

Assignee: tihuang → sgmenda

(In reply to Simon Mainey from comment #14)

browser_performanceAPI.js

      "For reduceTimerPrecision, there should be 4 entries for performance.getEntries()"
      // PerformanceNavigationTiming, PerformanceMark, PerformanceMark, PerformanceMeasure

Doesn't seem right?

That function is a little hard to read, it took me a while to figure out what it does. Here is what it does:

    content.performance.clearMarks();
    content.performance.clearMeasures();
    content.performance.clearResourceTimings();
    content.performance.mark("Test");
    content.performance.mark("Test-End");
    content.performance.measure("Test-Measure", "Test", "Test-End");
    content.performance.getEntries()

In particular, if you don't do the clear, it does not work. :)

You need to log in before you can comment on or make changes to this bug.