RFP: make spoofed orientation reflect spoofed screen dimensions
Categories
(Core :: CSS Parsing and Computation, enhancement)
Tracking
()
Tracking | Status | |
---|---|---|
firefox132 | --- | fixed |
People
(Reporter: thorin, Assigned: fkilic)
References
Details
(Whiteboard: [tor 30543][fingerprinting])
Attachments
(2 files, 1 obsolete file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
RFP spoofs screen.orientation.type
and screen.mozOrientation
as landscape-primary
but the css @media orientation rule is not spoofed to match
In addition, these are also not spoofed and can be used for detection
- aspect-ratio**
- device-aspect-ratio
for example:
if (window.matchMedia("(aspect-ratio:1/1)").matches) return "square";
if (window.matchMedia("(min-aspect-ratio:10000/9999)").matches) return "landscape";
if (window.matchMedia("(max-aspect-ratio:9999/10000)").matches) return "portrait";
see [1] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen
FWIW: I think we should spoof all values as landscape for desktops/laptops, and portrait for android.
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 1•5 years ago
|
||
[tor 30543] - https://trac.torproject.org/projects/tor/ticket/30543
Updated•5 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 2•17 days ago
•
|
||
This is a really hard one hahaha. The values involved here are hard to spoof, and the media query is written in rust, and we don't have any good way of checking shouldResistFingerprinting. We can check mShouldResistFingerprinting but not for individual rfp targets which would be unideal.
I guess I have to learn c++ bindings now :)
Assignee | ||
Comment 3•17 days ago
|
||
Updated•17 days ago
|
Assignee | ||
Comment 4•17 days ago
•
|
||
I submitted a patch but how does this prevent against width and height queries? Also I spoofed values to 16 / 9 ratio. I'm not sure if that's a good ratio, we can change it. 4/3 or something else.
Reporter | ||
Comment 5•16 days ago
|
||
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30543#note_3044372
We don't need to do anything with css/match-media. These (-moz-device-orientation
and device-aspect-ratio
) are already based on our spoofed screen measurements
The paradox comes from always returning mozOrientation
and orientation.type
as landscape-primary
regardless (and orientation.angle
as 0
which is fine as is). So we end up with screen dimensions that are portrait but return landscape.
Instead we should report mozOrientation
and orientation.type
as
portrait-primary
if our screen dimensions are portraitlandscape-primary
if is our screen dimensions are square or landscape
in other words, always substitute -primary
for -secondary
and always base on our spoofed screen values. This does not add any entropy - the results are based on given data
Reporter | ||
Updated•16 days ago
|
Assignee | ||
Comment 6•16 days ago
|
||
oh I see that makes whole a lot more sense hahahha, I'll try to match that instead. Thank you!
Updated•13 days ago
|
Assignee | ||
Comment 7•13 days ago
|
||
Pushed by fkilic@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2bac39d0488f Spoof screen orientation and angle to primary values. r=tjr,geckoview-reviewers,owlish
Comment 9•6 days ago
|
||
bugherder |
Reporter | ||
Comment 10•5 days ago
|
||
Built from https://hg.mozilla.org/mozilla-central/rev/169a59fe35f8b31a236c9bf717a5887b51ea6757 32.0a1 (2024-09-11)
this doesn't seem to work - are you basing the orientation on our spoofed screen sizes?
Assignee | ||
Comment 11•5 days ago
|
||
oooh no, this just uses the screen properties. I'll fix it
Description
•