Open Bug 787296 Opened 8 years ago Updated 2 years ago
Kill all web access to screen/chrome metrics and theme information
Probably this is a known issues of sorts, but I wanted to jog it to be fixed, and hopefully the testcases are handy. This issue has always bothered me but now I understand it better I'm losing sleep and appetite over it. I'd like to try to help fix it, rather than just reporting and complaining, but it's far beyond my abilities and I only have 1 gigabyte of ram which I'm told is not enough to compile Firefox. All I can do is ask and hope that the experts care to give it their time. Thanks again for reading. Here is an online copy of the attachment, since it does not seem to display on Bugzilla itself: http://eb0b428b.byethost7.com/screen.html
We might be able to make window.fullScreen privileged-code-only. > The media queries features regarding themes are absolutely diabolical Which ones? Restricting things like that to not match in content is probably not hard, if you have specific ones that shouldn't match there. Filing bugs on those, blocking this bug, is probably the way to go. I wonder how much it would break to neuter window.screen as you suggest... We might be able to get away with that....
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Boris Zbarsky (:bz) from comment #2) > > The media queries features regarding themes are absolutely diabolical > Which ones? Hello. These are the worst: -moz-mac-graphite-theme -moz-mac-lion-theme -moz-maemo-classic -moz-windows-classic -moz-windows-compositor -moz-windows-default-theme -moz-windows-theme It's none of web sites' business which theme people use. And I think these are probably useless: -moz-scrollbar-end-backward -moz-scrollbar-end-forward -moz-scrollbar-start-backward -moz-scrollbar-start-forward -moz-scrollbar-thumb-proportional -moz-menubar-drag That's all the -moz ones except -moz-device-pixel-ratio and -moz-touch-enabled. Honestly, google "-moz-menubar-drag": https://www.google.com/search?q=%22-moz-menubar-drag%22 Whatever it does, not one result relates to using it in practice and the top result turns out to be a test script related to a third-party patch which ultimately removes the feature for privacy reasons! (https://gitweb.torproject.org/torbrowser.git/blob/HEAD:/src/current-patches/firefox/alpha/0009-Limit-device-and-system-specific-CSS-Media-Queries.patch) > I wonder how much it would break to neuter window.screen as you suggest... We might be able to get away with that.... I hope so. I think it would be OK. It would have to be a fairly silly website if it bothered to check those values but still depended on them reporting particular frame or screen layout.
Attachment #657114 - Attachment mime type: text/plain → text/html
> These are the worst: OK. Could you please file a bug on those, on the style system?
OK I'll try. I'm not familiar with how things work here so I hope I fill it out right. Here we go: https://bugzilla.mozilla.org/show_bug.cgi?id=787521
So what now? I'm trying to be patient but these vulnerabilities are serious and need to be fixed.
You need to log in before you can comment on or make changes to this bug.