Initial Questions: Project/Feature Name: Shumway SWF Runtime Tracking ID: Description: (taken from sec bug verbiage) Shumway is an experimental web-native runtime implementation of the SWF file format. It is developed as a free and open source project sponsored by Mozilla Research. The project was started with two goals: 1. Advance the open web platform to process rich media formats, like SWF, that were previously only available in closed and proprietary implementations. 2. Offer a runtime processor for SWF and other rich media formats on platforms for which runtime implementations are not available. Additional Information: - https://github.com/mozilla/shumway/wiki/Intro - https://github.com/mozilla/shumway/wiki - https://wiki.mozilla.org/Shumway/Roadmap Key Initiative: Firefox Platform Release Date: 2013-12-10 Project Status: development Mozilla Data: Yes Mozilla Related: Firefox Desktop, Firefox for Android Separate Party: No
We had a user create a ticket on github about this: https://github.com/mozilla/shumway/issues/399 My thoughts on the issues they brought up: Both pieces of information (version number and font list) are available by other means, already. Since we plan on bundling Shumway, a specific version of Firefox will correspond to a specific version of Shumway. The font list is available for inspection via js, and we aren't using any privileged APIs within Shumway to get at it. One concern is, however, that we might still effectively cause users to be identified more easily. The fonts case could be an example for that: we're using readily available APIs that can already be used for thumbprinting, but we're exposing them in a way that existing tracking mechanisms consume right now, making them pick up on the information where they might not have, before.
Are we any closer to having something we might run some tests on to see what we can get out of this?
needs at least a score
I believe a great deal of this is still in flux so it's not ready for a formal review yet, but the bug at least has a risk rating for completion of this sprint
wiki page posted for input of information https://wiki.mozilla.org/Privacy/Reviews/Shumway
This Shumway bug is no longer relevant.