1977227 - Scrollbar overlay vs non-overlay is measureable

Status: NEW

(Core :: Privacy: Anti-Tracking, defect, P3)

Description

[Henry Wilkes (they/them) [:henry-x]]

It is possible for a website to detect whether a user has overlay scrollbars or not. An overlay scrollbar is a scrollbar that is drawn on top of content and does not take up any layout space in the page. They tend to be very thin to avoid covering content and disappear when the user no longer moves the mouse.

This is controlled by:

1. Accessibility settings on MacOS and Windows OS.
2. A browser setting "Allways show scrollbars" on linux systems.

The main issue is deciding whether to use overlay scrollbars or not. Personally I think we should make the RFPTarget choose non-overlay for desktop by default, because it is the accessible option.

Non-overlay scrollbar cons:

• Easier to measure the size of with javascript. In contrast, the only known measurement for overlay scrollbars requires the user to move the mouse around 20 pixels. However, the size does not vary much between platforms, so this isn't that revealing. The exceptions are covered by bug 1977222.
• The size measurement can reveal platform scaling by returning a non-integer value. Although the same information is already available via other trivial measurements. But could be unintentionally informative for simple fingerprinting scripts that do measure scrollbars but do not measure scaling.

Overlay scrollbar cons:

• These present accessibility problems (visual and interaction problems). Hence why the use of non-overlay scrollbars is controlled by accessibility settings on some operating systems. By using overlay scrollbars for the RFPTarget, we would be causing usability problems for these users.

See also the long discussion of this in tor browser's issue and a parallel discussion in bug 1397996. If you have any specific questions I can answer them here, so you don't have to scroll through all the other issues.