maximize warning panel entropy: can reveal app locale
I actually thought this had been addressed years ago (maybe it was?) but something nagged me so I did a full test, and added the PoC
Note:
- In #31598 (moved) when LB (letterboxing) is enabled, the warning panel is not used
-
extensions.torbutton.maximize_warnings_remaining
cannot be0
- user has to initiate FS (I could cover the entire page with an element: but they still have to click it)
- it only affects some locales, not all (but are the others robust to future changes?)
- so effectively the risk should be fairly low, but then I can also see a lot of users disabling LB (unless we do a better job of educating them: see solutions), so the risk is higher (for those exposed)
PoC
- https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html
- just click on the full screen test
- let the page load first: I had one test where the connection was a bit slow and I clicked too early, and it was all a bit laggy, and I got back 418 pixels. I could fix that by waiting a little longer to grab the second value, but not today.
Observations:
-
ja
andka
are unique -
ar
,fa
,ko
andzh-TW
create another bucket -
mk
I can't test (#31725 (moved)), andko
needs to be confirmed (#31886 (moved)) - Can we rely on previous chrome styling to remain consistent: see the ESR60
ka
was42
pixels like most other languages, but it did not migrate to40
pixels in ESR68 like most other languages.
Beware:
- I only tested at default 1000px width. The length of each localized message is not the same, so smaller windows (e.g on smaller screens: are there any?) would provide more entropy, as some would invoke a second or third line and others not.
- Similarly, if users resize the browser, some 2-liners will become one while others won't: but users should not resize the browser unless they have LBing (in which case, the warnings are disabled)
Obligatory Pic:
- see attachment: The ESR60 based ones are for nostalgia's sake, as I upgraded my language test suite :)
Possible Solutions:
- lock the LB pref in the future
- make the warning panel the same height somehow: e.g just force it to be 100px high or something.
- ditch the panel UX (or enhance it?) and use a different medium: end-user education: I have some other ideas but no idea how feasible they are, and they tie into informing the user about LB'ing/resizing/maximizing/FS: all in one hit