RFP: make spoofed orientation reflect spoofed screen dimensions
Categories
(Core :: CSS Parsing and Computation, enhancement)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox132 | --- | fixed |
People
(Reporter: thorin, Assigned: fkilic)
References
Details
(Whiteboard: [tor 30543][fingerprinting])
Attachments
(2 files, 1 obsolete file)
screen orientation.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
RFP spoofs screen.orientation.type and screen.mozOrientation as landscape-primary but the css @media orientation rule is not spoofed to match
In addition, these are also not spoofed and can be used for detection
- aspect-ratio**
- device-aspect-ratio
for example:
if (window.matchMedia("(aspect-ratio:1/1)").matches) return "square";
if (window.matchMedia("(min-aspect-ratio:10000/9999)").matches) return "landscape";
if (window.matchMedia("(max-aspect-ratio:9999/10000)").matches) return "portrait";
see [1] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#screen
FWIW: I think we should spoof all values as landscape for desktops/laptops, and portrait for android.
|
Reporter | |
Updated•5 years ago
|
|
|
Reporter | |
Comment 1•5 years ago
|
||
[tor 30543] - https://trac.torproject.org/projects/tor/ticket/30543
|
||
Updated•5 years ago
|
|
||
Updated•2 years ago
|
|
Assignee | |
Comment 2•17 days ago
•
|
||
This is a really hard one hahaha. The values involved here are hard to spoof, and the media query is written in rust, and we don't have any good way of checking shouldResistFingerprinting. We can check mShouldResistFingerprinting but not for individual rfp targets which would be unideal.
I guess I have to learn c++ bindings now :)
|
|
Assignee | |
Comment 3•17 days ago
|
||
|
||
Updated•17 days ago
|
|
|
Assignee | |
Comment 4•17 days ago
•
|
||
I submitted a patch but how does this prevent against width and height queries? Also I spoofed values to 16 / 9 ratio. I'm not sure if that's a good ratio, we can change it. 4/3 or something else.
|
|
Reporter | |
Comment 5•16 days ago
|
||
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/30543#note_3044372
We don't need to do anything with css/match-media. These (-moz-device-orientation and device-aspect-ratio) are already based on our spoofed screen measurements
The paradox comes from always returning mozOrientation and orientation.type as landscape-primary regardless (and orientation.angle as 0 which is fine as is). So we end up with screen dimensions that are portrait but return landscape.
Instead we should report mozOrientation and orientation.type as
portrait-primaryif our screen dimensions are portraitlandscape-primaryif is our screen dimensions are square or landscape
in other words, always substitute -primary for -secondary and always base on our spoofed screen values. This does not add any entropy - the results are based on given data
|
|
Reporter | |
Updated•16 days ago
|
|
|
Assignee | |
Comment 6•16 days ago
|
||
oh I see that makes whole a lot more sense hahahha, I'll try to match that instead. Thank you!
|
|
||
Updated•13 days ago
|
|
|
Assignee | |
Comment 7•13 days ago
|
||
Pushed by fkilic@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2bac39d0488f Spoof screen orientation and angle to primary values. r=tjr,geckoview-reviewers,owlish
|
||
Comment 9•6 days ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 10•5 days ago
|
||
Built from https://hg.mozilla.org/mozilla-central/rev/169a59fe35f8b31a236c9bf717a5887b51ea6757 32.0a1 (2024-09-11)
this doesn't seem to work - are you basing the orientation on our spoofed screen sizes?
|
|
Assignee | |
Comment 11•5 days ago
|
||
oooh no, this just uses the screen properties. I'll fix it
Description
•