css @media RFP + window/screen leaks
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Tracking
()
People
(Reporter: thorin, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
176.29 KB,
image/jpeg
|
Details |
example
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
In bug 418986 , RFP returns various screen/window metrics as the inner window measurement. This patch also covered [some] css media queries
issue
On devices with a devicePixelRatio !== 1 (results will vary), entropy can be leaked by css and matchmedia queries, when min and max values differ
- screen: @media
min-device-height(andmin-device-widthI assume) - window: @media
min-height(andmin-widthI assume) - all the above using a binary method in matchmedia
example
In this example, my phone's devicePixelRatio (dPR) is approx 2.61. I have RFP enabled.
The two matchMedia results show that dPR is not 1, and depending on the actual dPR, the value returned will not be an integer and provides entropy. How much entropy is unknown, but it's not a boolean
The same can happen with pure css, where the result is e.g. 1799 instead of 1800 (so a true/false bit entropy)
possible solutions
When RFP = true, for pure css, and for matchMedia (for the above metrics)
- always round, so at worst it's only a binary entropy
- always return max values for min values. Would this cause breakage?
- always return an integer, rounded up (is that the same as the previous point?)
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 1•4 years ago
|
||
also see bug 1607027 - maybe the answer lies in fixing the underlying devicePixelRatio (which also leaks under css @media and matchMedia)
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 2•4 years ago
|
||
well, if you're adding blocks, don't forget the other one... bug 1607032 :)
|
||
Updated•4 years ago
|
|
|
Reporter | |
Updated•1 year ago
|
|
|
Reporter | |
Updated•1 year ago
|
Description
•