Closed Bug 1581492 Opened 2 years ago Closed 10 months ago

[resistFingerprinting] Performance API spoofing prevents site from loading login scripts

Categories

(Core :: DOM: Security, defect, P3)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1637985

People

(Reporter: ke5trel, Unassigned)

References

(Blocks 1 open bug, Regression, )

Details

(Keywords: regression, Whiteboard: [fingerprinting] [sci-exclude][domsecurity-backlog1])

STR:

  1. Set privacy.resistFingerprinting.enabled = true.
  2. Visit <NSFW> https://pornhub.com/login </NSFW>.
  3. Click on the login button (no account required).

Expected:

Error appears: "Invalid username/password!"

Actual:

Nothing happens, login button is disabled. The login script (front-login.js) is not loaded, nor are many other scripts. The site assumes that if window.performance is defined then performance.timing.loadEventEnd will be greater than zero at some point but that never happens with resistFingerprinting.

timings-1.0.0.js:

if (c.loadEventEnd > 0) {
  for (var d in b.callbacks) {
    if (b.callbacks.hasOwnProperty(d)) {
      b.callback(b.callbacks[d])
    }
  }
}

Hi Tim, could you please take a look? Thanks!

Flags: needinfo?(tihuang)

This is a breakage caused by fingerprinting resistance. We intentionally spoof the performance timing to 0 when fingerprinting resistance is on in order to not expose the performance timing as a fingerprinting vector. I think maybe we can spoof the value into a different one instead of zero if zero causes breakages like this. But, we need to discuss this before we get into a conclusion.

Flags: needinfo?(tihuang)
Whiteboard: [fingerprinting] → [fingerprinting] [sci-exclude]
Component: DOM: Core & HTML → DOM: Security
Priority: P2 → --
Priority: -- → P3
Whiteboard: [fingerprinting] [sci-exclude] → [fingerprinting] [sci-exclude][domsecurity-backlog1]
Severity: normal → S3
See Also: → 1637985
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1637985
See Also: 1637985
You need to log in before you can comment on or make changes to this bug.