Dr. Neal Krawetz reported via HackerOne that it is possible to detect the platform a Tor Browser is running with the CSS line-height attribute: 19px is used on Linux, 19.5167px on macOS, and 19.2px or 20px on Windows.
We could think about adjusting that to 20px independent of the platform Tor Browser is running on.
Many fonts have issues with their vertical metrics. they
are used to influence the height of ascenders and depth
of descenders. Gecko uses it to calculate the line height
(font height + ascender + descender), however because of
that idiosyncratic behavior across multiple operating
systems, it can be used to identify the user's OS.
The solution proposed in the patch([1]) is to use a default factor
to be multiplied as ascender and descender. This way all operating
systems will have the same line height.
Okay, some comments. I just tested Windows and Linux builds and it seems your fix works for me. Nice! Do you have a test which let you check your patch works correctly? If not, how have you verified your patch does indeed fix the problem?
In Tor Browser (and Mozilla in Firefox) we bind our fingerprinting resistance to the privacy.resistFingerprinting preference: only when that preference is set to true all the fingerprinting patches are active. If not then the default Firefox behavior in that regard is visible. That way it is much more easier for Mozilla to upstream our patches.
Could you make sure as well that your code is only active when this preference is set to true and inactive otherwise? Bonus points for a unit test showing that your patch does indeed do what it claims it does.
Trac: Keywords: TorBrowserTeam201709R deleted, N/Aadded Status: needs_review to needs_revision
Looks good to me and works on Linux and Windows at least. The test passes as well. I wonder, though, how future-proof the test is assuming the factor 1.2 comes from NORMAL_LINE_HEIGHT_FACTOR? Adding some folks for a second review.
Trac: Cc: igt0 to igt0, mcs, brade, pospeselr, arthuredelstein
Great question, the css2 specification[1] says that the line height factor should be between 1.0 and 1.2. Mozilla uses 1.2 for some time[2] and only if the ascending and descending values are 0. Chrome has its own thing[3].
That said, for the short and medium term, I think the current test makes sense because if the line factor changes, the test will break. I tried to think about a ref test instead of JS test. However the 1.2 value would be hardcoded on it anyway.
r=brade, r=mcs
One suggestion for the test would be to add something like:
const NORMAL_LINE_HEIGHT_FACTOR = 1.2;
(and add a comment to refer back to layout/generic/ReflowInput.cpp.
Also, it seems like it is possible that the tests would fail when the anti-fingerprinting pref is turned off, e.g., if the line-height happens to really be 1.2x the font-size.
Taking that one with a fixup for the upcoming alpha (commits 323d2525 and 125ac5c7 on tor-browser-52.3.0esr-7.5-2). I think we can adapt the test during upstreaming the patch to Firefox. Thanks.
Trac: Status: needs_review to closed Resolution: N/Ato fixed
I think we should take legacy/trac#23701 (moved) right away into account and reopen this bug. I think the missing piece we want is making sure this defense is only applied to content but not the browser chrome. I am backing out the patch from our alpha branch (done with commit 5117adf6).
Trac: Resolution: fixed toN/A Status: closed to reopened
The new patch looks good to Kathy and me. We did not build and test a Windows browser to make sure that legacy/trac#23701 (moved) was fixed. Igor or Georg, did you do that?
Also, we noticed that a Math.ceil() call was removed from the test. I assume it is not needed?
The new patch looks good to Kathy and me. We did not build and test a Windows browser to make sure that legacy/trac#23701 (moved) was fixed. Igor or Georg, did you do that?
I tested in a Windows and Linux machines, however I would love to have a second person giving a try to make sure I didn't miss anything.
Also, we noticed that a Math.ceil() call was removed from the test. I assume it is not needed?