Open Bug 1581492 Opened Last month Updated 15 days ago

[resistFingerprinting] Performance API spoofing prevents site from loading login scripts

Categories

(Core :: DOM: Core & HTML, defect, P2)

defect

Tracking

()

People

(Reporter: ke5trel, Unassigned)

References

(Blocks 1 open bug, Regression, )

Details

(Keywords: regression, Whiteboard: [fingerprinting] [sci-exclude])

STR:

  1. Set privacy.resistFingerprinting.enabled = true.
  2. Visit <NSFW> https://pornhub.com/login </NSFW>.
  3. Click on the login button (no account required).

Expected:

Error appears: "Invalid username/password!"

Actual:

Nothing happens, login button is disabled. The login script (front-login.js) is not loaded, nor are many other scripts. The site assumes that if window.performance is defined then performance.timing.loadEventEnd will be greater than zero at some point but that never happens with resistFingerprinting.

timings-1.0.0.js:

if (c.loadEventEnd > 0) {
  for (var d in b.callbacks) {
    if (b.callbacks.hasOwnProperty(d)) {
      b.callback(b.callbacks[d])
    }
  }
}

Hi Tim, could you please take a look? Thanks!

Flags: needinfo?(tihuang)

This is a breakage caused by fingerprinting resistance. We intentionally spoof the performance timing to 0 when fingerprinting resistance is on in order to not expose the performance timing as a fingerprinting vector. I think maybe we can spoof the value into a different one instead of zero if zero causes breakages like this. But, we need to discuss this before we get into a conclusion.

Flags: needinfo?(tihuang)
Priority: -- → P2
Whiteboard: [fingerprinting] → [fingerprinting] [sci-exclude]
You need to log in before you can comment on or make changes to this bug.