Closed Bug 1818894 Opened 2 years ago Closed 4 months ago

RFP: harden network information protection

Categories

(Core :: DOM: Core & HTML, enhancement)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: thorin, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fingerprinting])

Attachments

(1 file)

example.png
11.55 KB, image/png
Details

In Bug 1372072, when dom.netinfo.enabled = true, we return type as unknown [1] and block the ontypechange event [2]. AFAICT desktop has always had this pref as false. Starting in FF99 in Bug 1637922, this pref is also false on Android.

RFP could instead always read/return dom.netinfo.enabled as false (same as how some other RFP protections ignore prefs). This would harden against users tampering via a pref, and perhaps be simpler

[1] https://searchfox.org/mozilla-central/source/dom/network/Connection.h#43-47
[2] https://searchfox.org/mozilla-central/source/dom/network/Connection.h#63-67
[2] current test: https://searchfox.org/mozilla-central/source/browser/components/resistfingerprinting/test/browser/browser_netInfo.js

Flags: needinfo?(tom)
Attached image example.png

https://bugzilla.mozilla.org/show_bug.cgi?id=1777614#c3

There's currently no mechanic to exempt a particular API from RFP

But we do do it? example speech engines where we return none

Anyway, this just looks weird should someone deviate from dom.netinfo's default

Flags: needinfo?(tom)
Blocks: uplift_tor_fingerprinting
Whiteboard: [fingerprinting]

We don't need to protect users from every hidden pref they can flip.

Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → WONTFIX

Or alternatively, rip out the useless code and free up a Target

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: