Open Bug 1818248 Opened 2 years ago Updated 1 year ago

Update JS callers that call directly checking "privacy.resistFingerprinting" pref

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Type:
enhancement

Tracking

()

People

(Reporter: tjr, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fpp:m?])

There's a handful of callsites in .js and .jsm files that are directly checking the RFP pref.

Depends on: 1818250
Assignee: nobody → tschuster
Depends on: 1823396

After bug 1823396 is landed the remaining instances are:

  • 2x window sizing in browser.js and SessionStore.sys.mjs
  • A checkbox for language spoofing in dialogs/languages.js
  • Showing the canvas permission in SitePermissions.jsm
  • Exposing the RFP pref to extensions via websites.resistFingerprinting in ext-privacy.js
  • In RFPHelper.jsm for what mostly seems like window sizing?
  • Telemetry recording

None of these seem very critical, and most of the window sizing related code can't really be made precise, because we can mix different tabs in the same window.

because we can mix different tabs in the same window

RFP only controls new windows sizes on creation, not tabs. Letterboxing is a different independent pref which if we upload Tor Project's changes, makes it per tab (because it moves to css grid) and removes RFPHelper code if IIRC - see Bug 1594455. Tor Browser also did some improvements on new window sizing - perhaps we can uplift these newwin and LB patches - if you want some tor links, sing out

language spoofing is somewhat broken, and is a one off prompt - it doesn't check for non en* so misses en-CA, en-GB etc - and spoof_english and use_us_english are incredibly biased - we should instead tighten primary + secondary languages, tighten regional locale to match language, and tighten regional locale to abide by Intl (not OS or custom) - then everyone can have language protection :)

So I wouldn't call those two critical in any way, IMO

The window sizing stuff we can leave.

It's conceivable we might fold Letterboxing into RFP/RFPLite in the future, but we will want to have more extensive discussions about how we want that to work. (e.g. are we okay with exempting a website from Letterboxing, even though it will visually jar the user that one tab is not letterboxed when others are?)

In RFPHelper.jsm for what mostly seems like window sizing?

This is actually for the language spoofing stuff also, this file manages some stuff with Language Spoofing, but it's hidden amongst all the letterboxing code. I think we do need to do some fine-grained control of language spoofing as well as clean up some other bugs related to that feature (Bug 1671850 which Simon mentioned, Bug 1746815, Bug 1746668). But this clean-up is not urgent, and doesn't need to block other work to do away with testGranularityMask and make fine-grained RFP the default.

Assignee: tschuster → nobody
Depends on: 1837976
Whiteboard: [fpp:m?]
You need to log in before you can comment on or make changes to this bug.