Look into Yan's browser fingerprinting tricks
Yan has a brilliant slide deck on browser fingerprinting, here: https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf
We need to figure out which of these vulnerabilities Tor Browser has, and fix them. Do we need to isolate HSTS and HPKP caches to URL bar domain? Apparently legacy/trac#1517 (moved) (reduce JS time precision) helps protect Tor Browser from Yan's implementations, but there may be ways around that limitation.
There is also a demo here: https://zyan.scripts.mit.edu/sniffly/