RFP: harden network information protection
Categories
(Core :: DOM: Core & HTML, enhancement)
Tracking
()
People
(Reporter: thorin, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fingerprinting])
Attachments
(1 file)
11.55 KB,
image/png
|
Details |
In Bug 1372072, when dom.netinfo.enabled
= true, we return type
as unknown
[1] and block the ontypechange event [2]. AFAICT desktop has always had this pref as false. Starting in FF99 in Bug 1637922, this pref is also false
on Android.
RFP could instead always read/return dom.netinfo.enabled
as false (same as how some other RFP protections ignore prefs). This would harden against users tampering via a pref, and perhaps be simpler
[1] https://searchfox.org/mozilla-central/source/dom/network/Connection.h#43-47
[2] https://searchfox.org/mozilla-central/source/dom/network/Connection.h#63-67
[2] current test: https://searchfox.org/mozilla-central/source/browser/components/resistfingerprinting/test/browser/browser_netInfo.js
Reporter | ||
Comment 1•2 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1777614#c3
There's currently no mechanic to exempt a particular API from RFP
But we do do it? example speech engines where we return none
Anyway, this just looks weird should someone deviate from dom.netinfo's default
Updated•1 year ago
|
Comment 2•4 months ago
|
||
We don't need to protect users from every hidden pref they can flip.
Reporter | ||
Comment 3•4 months ago
|
||
Or alternatively, rip out the useless code and free up a Target
Description
•