1607032 - RFP: make spoofed orientation reflect spoofed screen dimensions

Status: RESOLVED FIXED

(Core :: CSS Parsing and Computation, enhancement)

Description

[Thorin [:thorin]]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

RFP spoofs screen.orientation.type and screen.mozOrientation as landscape-primary but the css @media orientation rule is not spoofed to match

In addition, these are also not spoofed and can be used for detection

• aspect-ratio**
• device-aspect-ratio

for example:
if (window.matchMedia("(aspect-ratio:1/1)").matches) return "square";
if (window.matchMedia("(min-aspect-ratio:10000/9999)").matches) return "landscape";
if (window.matchMedia("(max-aspect-ratio:9999/10000)").matches) return "portrait";

see [1] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen

FWIW: I think we should spoof all values as landscape for desktops/laptops, and portrait for android.

Comment 1

[Thorin [:thorin]]

[tor 30543] - https://trac.torproject.org/projects/tor/ticket/30543

Comment 2

[Fatih Kilic [:fkilic]]

This is a really hard one hahaha. The values involved here are hard to spoof, and the media query is written in rust, and we don't have any good way of checking shouldResistFingerprinting. We can check mShouldResistFingerprinting but not for individual rfp targets which would be unideal.

I guess I have to learn c++ bindings now :)

Comment 3

[Fatih Kilic [:fkilic]]

Attachment: Bug 1607032: Spoof media queries for aspect ratio properties. r?tjr

Comment 4

[Fatih Kilic [:fkilic]]

I submitted a patch but how does this prevent against width and height queries? Also I spoofed values to 16 / 9 ratio. I'm not sure if that's a good ratio, we can change it. 4/3 or something else.

Comment 5

[Thorin [:thorin]]

Attachment: screen orientation.png

https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30543#note_3044372

We don't need to do anything with css/match-media. These (-moz-device-orientation and device-aspect-ratio) are already based on our spoofed screen measurements

The paradox comes from always returning mozOrientation and orientation.type as landscape-primary regardless (and orientation.angle as 0 which is fine as is). So we end up with screen dimensions that are portrait but return landscape.

Instead we should report mozOrientation and orientation.type as

• portrait-primary if our screen dimensions are portrait
• landscape-primary if is our screen dimensions are square or landscape

in other words, always substitute -primary for -secondary and always base on our spoofed screen values. This does not add any entropy - the results are based on given data

Comment 6

[Fatih Kilic [:fkilic]]

oh I see that makes whole a lot more sense hahahha, I'll try to match that instead. Thank you!

Comment 7

[Fatih Kilic [:fkilic]]

Attachment: Bug 1607032: Spoof screen orientation and angle to primary values. r?tjr

Comment 8

[Pulsebot]

Pushed by fkilic@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2bac39d0488f
Spoof screen orientation and angle to primary values. r=tjr,geckoview-reviewers,owlish

Comment 9

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/2bac39d0488f

Comment 10

[Thorin [:thorin]]

Built from https://hg.mozilla.org/mozilla-central/rev/169a59fe35f8b31a236c9bf717a5887b51ea6757 32.0a1 (2024-09-11)

this doesn't seem to work - are you basing the orientation on our spoofed screen sizes?

Comment 11

[Fatih Kilic [:fkilic]]

oooh no, this just uses the screen properties. I'll fix it