Security/Fingerprinting

Cross-Origin Fingerprinting Unlinkability

The anti-fingerprinting project is part of the Tor Uplift project.
Its goal is to build up the same level of fingerprinting resistance as the Tor Browser in Firefox.
Refer to the design and implementation document of the Tor Browser:
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability

Project Schedule

Complete the implementation of MVP in Firefox 57 (2018-09-20)
- This is being tracked by three milestones M1, M2, and M3
Feature stabilization and refinement in Firefox 58 (2017-11-13)
- Perform integration test to identify regressions and Web compatibility issues
- Perform tests to verify the effectiveness of fingerprinting protection
- Fix regressions and any other issues
- Figure out the product strategy of Firefox to roll out this functionality
Ship the feature in Firefox 59 (2018-01-15)
- Tor Browser will be using Firefox ESR 59

Bug Tracking

All fingerprinting bugs are being tracked under the meta bug:
bug 1329996 - [META] Support anti-fingerprinting protection

Priority Definition

P1: MVP (Minimum Viable Product)
P2: Nice to Have
P3: Backlog
Any bug which is marked as [fp:m1-3] in the Whiteboard is also MVP, regardless of its Priority

Whiteboard Definition

[fingerprinting]: Indicate this is a fingerprinting bug
[fp:m1]: Target milestone is M1 (2017-06-12 Firefox 55)
[fp:m2]: Target milestone is M2 (2017-08-02 Firefox 56)
[fp:m3]: Target milestone is M3 (2017-09-20 Firefox 57)
[fp-backlog]: Backlog bugs

Dashboard

MVP: M1 Bugs List (2017-06-12 Firefox 55)

Full Query

ID	Summary	Status	Product	Component	Assigned to	Depends on	Whiteboard
1345322	Create the preference privacy.resistFingerprinting in firefox.js	RESOLVED	Firefox	Settings UI	Ethan Tseng [:ethan]		[fingerprinting][tor][fp:m1]
1360039	Spoof navigator.hardwareConcurrency = 2 when privacy.resistFingerprinting = true	RESOLVED	Core	DOM: Core & HTML	Chris Peterson [:cpeterson]	1217238	[tor 21675][fingerprinting][fp:m1]
1217238	Reduce precision of time exposed by Javascript (Tor 1517)	RESOLVED	Core	JavaScript: Standard Library	Jonathan Hao (inactive) [:jhao]	1430975, 1437266, 1442863	[fingerprinting][tor][fp:m1]
1367313	Add a test case to inform people when someone tries to remove prefs that have fingerprinting concerns	RESOLVED	Core	DOM: Security	Tim Huang[:timhuang]		[fingerprinting][tor][fp:m1] [domsecurity-active]
1330890	Use UTC timezone when privacy.resistFingerprinting = true [tor 16622]	RESOLVED	Core	General	Tom Ritter [:tjr] (OOTO until April)	1382840, 1385597, 1409973	[fingerprinting][tor 16622][fp:m1][fp-triaged]

5 Total; 0 Open (0%); 5 Resolved (100%); 0 Verified (0%);

MVP: M2 Bugs List (2017-08-07 Firefox 56)

Full Query

ID	Summary	Status	Product	Component	Assigned to	Depends on	Whiteboard
1330876	use properly contrasting colors if the desktop theme specifies white on black for text colors [tor 6786]	RESOLVED	Core	Graphics: Color Management	Chung-Sheng Fu [:cfu]		[fingerprinting] gfx-noted [tor][fp:m2]
1337161	Disable navigator.getGamepads() when privacy.resistFingerprinting = true	RESOLVED	Core	DOM: Device Interfaces	Chung-Sheng Fu [:cfu]		[tor][fingerprinting][fp:m2]
1369357	Making Firefox not to use site specific zoom level when 'privacy.resistFingerprinting' is true	VERIFIED	Firefox	General	Chung-Sheng Fu [:cfu]	1377820	[fingerprinting][tor][fp:m2]
1369330	Make javascript use English locale when 'privacy.resistFingerprinting' is true	RESOLVED	Core	JavaScript Engine			[fingerprinting][tor][fp:m2]
1369327	Making reader view users uniform when 'privacy.resistFingerprinting' is true	RESOLVED	Toolkit	Reader Mode	Jonathan Hao (inactive) [:jhao]		[fingerprinting][tor][fp:m2]
1333641	Disable WebSpeech API when privacy.resistFingerprinting is enabled	RESOLVED	Core	Web Speech	Tim Huang[:timhuang]		[tor][fingerprinting][fp:m2]
1333651	Spoofing Navigator API when resisting fingerprinting is enabled	RESOLVED	Core	DOM: Security	Tim Huang[:timhuang]	1337161, 1369303	[tor][fingerprinting][domsecurity-backlog1][fp:m2]
1369303	Spoof/Disable performance API when 'privacy.resistFingerprinting' is true	VERIFIED	Core	DOM: Core & HTML	Tim Huang[:timhuang]		[fingerprinting][tor][fp:m2]
1369309	Neutralize the threat of fingerprinting of media statistics when 'privacy.resistFingerprinting' is true	VERIFIED	Core	Security	Tim Huang[:timhuang]		[fingerprinting][tor][fp:m2]
1369319	Disable device sensors when 'privacy.resistFingerprinting' is true	RESOLVED	Core	DOM: Device Interfaces	Tim Huang[:timhuang]	1390391	[fingerprinting][tor][fp:m2]
1369328	Open popup windows in new tabs when 'privacy.resistFingerprinting' = true	RESOLVED	Core	DOM: Security	Tim Huang[:timhuang]		[fingerprinting][tor][fp:m2][domsecurity-active]
1372069	Neutralize the threat of fingerprinting of geolocation API when 'privacy.resistFingerprinting' is true	RESOLVED	Core	DOM: Geolocation	Tim Huang[:timhuang]		[fingerprinting][tor][fp:m2]
1372072	Neutralize the threat of fingerprinting of network information API when 'privacy.resistFingerprinting' is true	RESOLVED	Core	DOM: Core & HTML	Tim Huang[:timhuang]		[fingerprinting][tor][fp:m2]

13 Total; 0 Open (0%); 10 Resolved (76.92%); 3 Verified (23.08%);

MVP: M3 Bugs List (2017-09-25 Firefox 57)

Full Query

ID	Summary	Status	Product	Component	Assigned to	Depends on	Whiteboard
1383495	Spoofing Navigator API platform as Win64 when resisting fingerprinting is enabled	RESOLVED	Core	DOM: Security	Ethan Tseng [:ethan]	1472618	[tor][fingerprinting][fp:m3][domsecurity-active]
863246	resource:// URIs leak information (Tor 8725)	VERIFIED	Core	Security	Chung-Sheng Fu [:cfu]	1395286, 1395486, 1433715	[tor][fingerprinting][fp:m3]
967895	Prompt (w/ Site Permission) before allowing content to extract canvas data (Tor 6253)	RESOLVED	Core	Graphics: Canvas2D	Chung-Sheng Fu [:cfu]	1260931, 1382111, 1412961, 1415874, 1431909, 1452391, 1453916	[tor][fingerprinting][fp:m3][ux]
1039069	Warn the user that customizing the preferred language list (Accept-Language) can be used for fingerprinting	RESOLVED	Firefox	Settings UI	Chung-Sheng Fu [:cfu]	1515001	[tor][fingerprinting][fp:m3][ux]
1217290	Add fingerprinting resistance for WebGL (Tor 16005)	RESOLVED	Core	Graphics: CanvasWebGL	Chung-Sheng Fu [:cfu]		[tor][tor-standalone][fingerprinting][fp:m3]
1354633	blank MediaError.message when resisting fingerprinting	RESOLVED	Core	Audio/Video: Playback	Chung-Sheng Fu [:cfu]		[tor 21792][fingerprinting][fp:m3]
1372073	Neutralize the threat of fingerprinting of media devices API when 'privacy.resistFingerprinting' is true	RESOLVED	Core	WebRTC: Audio/Video	Chung-Sheng Fu [:cfu]		[fingerprinting][tor][fp:m3]
1382499	Touch API leaks absolute screen coordinates	RESOLVED	Core	DOM: Events	Chung-Sheng Fu [:cfu]		[tor 10286][fingerprinting][fp:m3]
1382533	When resisting fingerprinting, don't expose local IP Addresses via mDNS	RESOLVED	Core	DOM: Core & HTML	Chung-Sheng Fu [:cfu]		[tor 22165][fingerprinting][fp:m3]
1382111	UX improvement for permission prompt to allow extracting HTML5 Canvas data	VERIFIED	Toolkit Graveyard	Notifications and Alerts	Jacqueline Savory [:jsavory] UX		[tor][fingerprinting][fp:m3][ux]
1330892	<isindex> leaks user locale	RESOLVED	Core	DOM: HTML Parser		1266495	[fingerprinting][tor][fp:m3]
1222285	Keyboard layout is leaked by KeyboardEvent	RESOLVED	Core	DOM: UI Events & Focus Handling	Tim Huang[:timhuang]	1439784, 1433592, 1438795, 1470828	[tor 15646][tor 17009][tor-standalone][fingerprinting][fp:m3][fp-triaged]
1382545	Animation API exposes high-res time stamp	RESOLVED	Core	DOM: Animation	Tim Huang[:timhuang]	1217238	[tor 16337][fingerprinting][fp:m3]
1384330	Don't expose window.navigator.mozAddonManager data when privacy.resistFingerprinting=true	VERIFIED	Toolkit	Add-ons Manager	Tim Huang[:timhuang]		[tor 21684][fingerprinting][fp:m3]

14 Total; 0 Open (0%); 11 Resolved (78.57%); 3 Verified (21.43%);

MVP: Bugs To Be Triaged

The following bugs are MVP bugs which are not specified priority yet.

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

Fingerprinting P2 Bugs List

<disabled-bugzilla>

   {
       "blocks":"1329996",
       "status":["NEW", "ASSIGNED", "REOPENED", "RESOLVED", "VERIFIED"], 
       "priority":["P2"], 
       "include_fields": "id, summary, status, product, component, assigned_to, depends_on, whiteboard",
       "order": "status, assigned_to"
   }

</disabled-bugzilla>

Fingerprinting P3-P5 Bugs List

<disabled-bugzilla>

   {
       "blocks":"1329996",
       "status":["NEW", "ASSIGNED", "REOPENED", "RESOLVED", "VERIFIED"], 
       "priority":["P3", "P4", "P5", "--"], 
       "include_fields": "id, summary, status, priority, product, component, assigned_to, depends_on, whiteboard",
       "order": "status, assigned_to"
   }

</disabled-bugzilla>

Fingerprinting Breakage

Full Query

ID	Summary	Status	Product	Component	Assigned to	Depends on	Whiteboard
1433592	Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites that use those keys with resistFingerprinting enabled	VERIFIED	Core	DOM: UI Events & Focus Handling	Arthur Edelstein [:arthur]		[fingerprinting-breakage][tor 17009]
1409677	WebGL fails to initialize when resistFingerprint is enabled	RESOLVED	Core	Graphics: CanvasWebGL	Daosheng Mu[:daoshengmu]		[tor][fingerprinting-breakage][fp:backlog][gfx-noted]
1408702	Resist fingerprinting causes scrollbar glitch in Firefox 58	RESOLVED	Core	Layout	Emilio Cobos Álvarez [:emilio]		[tor][fingerprinting-breakage]
1453916	Fix canvas APIs in extension content scripts when resistFingerprinting is enabled	VERIFIED	Core	Graphics: Canvas2D	Tom S. (please needinfo tschuster)	1412961	[fingerprinting][fingerprinting-breakage][gfx-noted]
1364261	Make UTC Timezone Spoofing optional when privacy.resistfingerprinting = true	RESOLVED	Core	Privacy: Anti-Tracking		1401440	[tor][fingerprinting-breakage][fp-backlog][fp-triaged]
1396322	privacy.resist.fingerprinting breaks Tampermonkey	RESOLVED	WebExtensions	General			[fingerprinting-breakage]
1405810	Setting privacy.resistFingerprinting=true breaks cmd keyboard shortcuts for Google Docs on OSX	RESOLVED	Core	DOM: Security		1404608	[domsecurity-backlog1][tor][fingerprinting-breakage][fp-triaged]
1409809	Constantly remind people about privacy.resistFingerprinting	RESOLVED	Firefox	Security			[fingerprinting-breakage]
1436309	resistFingerprinting prevents browser shortcuts to work in some pages	RESOLVED	Core	DOM: UI Events & Focus Handling			[fingerprinting-breakage]
1438474	resistFingerprinting breaks taking screenshots	RESOLVED	Core	Security			[fingerprinting-breakage]
1452391	PNG favicons show up as white square when privacy.resistFingerprinting is enabled	RESOLVED	Core	Graphics: Canvas2D			[fingerprinting-breakage]
1466326	privacy.resistFingerprinting set to true breaks Proxy Switcher and Manager	RESOLVED	Core	Graphics: Canvas2D			[fingerprinting-breakage]
1412961	Fix canvas APIs in extension documents when resistFingerprinting is enabled	RESOLVED	Core	Graphics: Canvas2D	Tim Nguyen :ntim		[fingerprinting][fingerprinting-breakage]
1404608	Do not lie about Operating System when privacy.resistFingerprinting is true	RESOLVED	Core	DOM: Security	Tim Huang[:timhuang]		[domsecurity-backlog3][fingerprinting-breakage]
1447592	Don't reset privacy.spoof_english when privacy.resistFingerprinting is flipped back to false	RESOLVED	Firefox	Security	Tom Ritter [:tjr] (OOTO until April)		[fingerprinting-breakage]

15 Total; 0 Open (0%); 13 Resolved (86.67%); 2 Verified (13.33%);

All Open Tagged Fingerprinting Bugs

<disabled-bugzilla>

   {
       "status":["NEW", "ASSIGNED", "REOPENED"],
       "whiteboard":["fingerprinting"],
       "include_fields": "id, summary, status, product, component, assigned_to, depends_on, whiteboard",
       "order": "status, assigned_to"
   }

</disabled-bugzilla>

Fingerprinting Resolved Bugs

<disabled-bugzilla>

   {
       "blocks":"1329996",
       "status":["RESOLVED", "VERIFIED"], 
       "include_fields": "id, summary, priority, product, component, assigned_to, depends_on, whiteboard",
       "order": "assigned_to"
   }

</disabled-bugzilla>