Skip to content

GitLab

Open
Created by Thorin@thorin🐈

maximize warning panel entropy: can reveal app locale

I actually thought this had been addressed years ago (maybe it was?) but something nagged me so I did a full test, and added the PoC

Note:

  • In legacy/trac#31598 (moved) when LB (letterboxing) is enabled, the warning panel is not used
  • extensions.torbutton.maximize_warnings_remaining cannot be 0
  • user has to initiate FS (I could cover the entire page with an element: but they still have to click it)
  • it only affects some locales, not all (but are the others robust to future changes?)
  • so effectively the risk should be fairly low, but then I can also see a lot of users disabling LB (unless we do a better job of educating them: see solutions), so the risk is higher (for those exposed)

PoC

  • https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html
  • just click on the full screen test
  • let the page load first: I had one test where the connection was a bit slow and I clicked too early, and it was all a bit laggy, and I got back 418 pixels. I could fix that by waiting a little longer to grab the second value, but not today.

Observations:

  • ja and ka are unique
  • ar, fa, ko and zh-TW create another bucket
  • mk I can't test (legacy/trac#31725 (moved)), and ko needs to be confirmed (legacy/trac#31886 (moved))
  • Can we rely on previous chrome styling to remain consistent: see the ESR60 ka was 42 pixels like most other languages, but it did not migrate to 40 pixels in ESR68 like most other languages.

Beware:

  • I only tested at default 1000px width. The length of each localized message is not the same, so smaller windows (e.g on smaller screens: are there any?) would provide more entropy, as some would invoke a second or third line and others not.
  • Similarly, if users resize the browser, some 2-liners will become one while others won't: but users should not resize the browser unless they have LBing (in which case, the warnings are disabled)

Obligatory Pic:

  • see attachment: The ESR60 based ones are for nostalgia's sake, as I upgraded my language test suite :)

Possible Solutions:

  • lock the LB pref in the future
  • make the warning panel the same height somehow: e.g just force it to be 100px high or something.
  • ditch the panel UX (or enhance it?) and use a different medium: end-user education: I have some other ideas but no idea how feasible they are, and they tie into informing the user about LB'ing/resizing/maximizing/FS: all in one hit
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information