Open Bug 1631301 Opened 5 years ago Updated 2 months ago

privacy.resistFingerprinting breaks entering Shift+number keycodes on noVNC console

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
75 Branch
Type:
defect

Tracking

()

People

(Reporter: dominik, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0

Steps to reproduce:

  1. In about:config, I set privacy.resistFingerprinting to true.
  2. I connected to my virtual private server console using NoVNC provided by the hosting service
  3. I rebooted the server and entered grub console
  4. I tried to enter some special characters that can be typed using Shift+number, e.g. ~!@#$%^&*()_+

Actual results:

The characters were typed as if I didn't have Shift pressed, i.e.
`1234567890-=

Expected results:

The expected characters should have appeared:
~!@#$%^&*()_+

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → DOM: Security
Product: Firefox → Core

This looks like the keyboard layout protection is causing problems. Although I haven't see this issue before, this looks like it should work.

Could you provide your operating system, locale, and keyboard layout?

Blocks: fingerprinting-breakage
Flags: needinfo?(dominik)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

OS: Fedora 31

$ locale
LANG=en_GB.UTF-8
LC_CTYPE=pl_PL.UTF-8
LC_NUMERIC=en_GB.UTF-8
LC_TIME=en_GB.UTF-8
LC_COLLATE=pl_PL.UTF-8
LC_MONETARY=pl_PL.UTF-8
LC_MESSAGES=en_GB.UTF-8
LC_PAPER=pl_PL.UTF-8
LC_NAME=pl_PL.UTF-8
LC_ADDRESS=pl_PL.UTF-8
LC_TELEPHONE=pl_PL.UTF-8
LC_MEASUREMENT=pl_PL.UTF-8
LC_IDENTIFICATION=pl_PL.UTF-8
LC_ALL=
$ localectl status
   System Locale: LANG=en_GB.UTF-8
       VC Keymap: pl
      X11 Layout: pl
Flags: needinfo?(dominik)

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3 (Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3 (normal.)

Severity: normal → S3

I'm encountering this same issue in Proxmox's NoVNC web console:
https://forum.proxmox.com/threads/unable-to-type-special-characters-symbols-in-novnc-web-console.76136/

When privacy.resistFingerprinting is enabled, the shift key doesn't toggle number keys to their respective symbols:
Example: Holding down shift and pressing 1234567890 does not output !@#$%^&*() like it should. This is especially problematic for logging into virtual machines that have passwords that contain one of those special characters (given that the characters are also bulleted out while typing passwords, you even see the problem while its occurring; causing lost of confusion).

I will say this: during the typing of this very post, I'm not having issues with the shift key, and privacy.resistFingerprinting is indeed enabled. Yet, in Proxmox's NoVNC web console, privacy.resistFingerprinting has to be disable before the shift key works as expected.

Is there something that the NoVNC web console developer can do to make the shift key work with privacy.resistFingerprinting enable? Is this a Firefox bug or a NoVNC Web console bug? Both?

I also reported this here:
https://github.com/novnc/noVNC/issues/1882

I also report the issue here:
https://bugzilla.proxmox.com/show_bug.cgi?id=5647

It seems only mozilla can fix this.

Why is the tracking-status of this issue unconfirmed? The two links (in the two prior posts) show confirmation of this issue by multiple people from multiple projects.

Unconfirmed/New honestly doesn't make much of a difference. Its definitely a result of RFP, what we would need to determine is if it's expected behavior of RFP hiding your keyboard layout (RFP does result in website breakage and sometimes this is not-ideal but expected behavior) or if there is a bug in the RFP behavior (less likely as the code is super old and it's been used for a long time) or something in the RFP behavior we could improve with more work (i.e. we can fix this behavior so it works without revealing more information about your keyboard layout to the website.

Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.