Security/Fingerprinting
< Security
Jump to navigation
Jump to search
Cross-Origin Fingerprinting Unlinkability
The anti-fingerprinting project is part of the Tor Uplift project.
Its goal is to build up the same level of fingerprinting resistance as the Tor Browser in Firefox.
Refer to the design and implementation document of the Tor Browser:
https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability
Bug Tracking
All fingerprinting bugs are being tracked under the meta bug:
bug 1329996 - [META] Support anti-fingerprinting protection
Priority Definition
- P1: MVP (Minimum Viable Product)
- P2: Nice to Have
- P3: Backlog
Whiteboard Definition
- [fingerprinting]: Indicate this is a fingerprinting bug
- [fp:m1]: Target milestone is M1 (2017-06-12 Firefox 56)
- [fp:m2]: Target milestone is M2 (2017-08-07 Firefox 57)
- [fp:m3]: Target milestone is M3 (2017-09-25 Firefox 58)
Dashboard
MVP: M1 Bugs List (2017-06-12 Firefox 56)
| ID | Summary | Status | Product | Component | Assigned to | Depends on | Whiteboard |
|---|---|---|---|---|---|---|---|
| 1345322 | Create the preference privacy.resistFingerprinting in firefox.js | RESOLVED | Firefox | Settings UI | Ethan Tseng [:ethan] | [fingerprinting][tor][fp:m1] | |
| 1360039 | Spoof navigator.hardwareConcurrency = 2 when privacy.resistFingerprinting = true | RESOLVED | Core | DOM: Core & HTML | Chris Peterson [:cpeterson] | 1217238 | [tor 21675][fingerprinting][fp:m1] |
| 1217238 | Reduce precision of time exposed by Javascript (Tor 1517) | RESOLVED | Core | JavaScript: Standard Library | Jonathan Hao (inactive) [:jhao] | 1430975, 1437266, 1442863 | [fingerprinting][tor][fp:m1] |
| 1367313 | Add a test case to inform people when someone tries to remove prefs that have fingerprinting concerns | RESOLVED | Core | DOM: Security | Tim Huang[:timhuang] | [fingerprinting][tor][fp:m1] [domsecurity-active] | |
| 1330890 | Use UTC timezone when privacy.resistFingerprinting = true [tor 16622] | RESOLVED | Core | General | Tom Ritter [:tjr] | 1382840, 1385597, 1409973 | [fingerprinting][tor 16622][fp:m1][fp-triaged] |
5 Total; 0 Open (0%); 5 Resolved (100%); 0 Verified (0%);
MVP: M2 Bugs List (2017-08-07 Firefox 57)
| ID | Summary | Status | Product | Component | Assigned to | Depends on | Whiteboard |
|---|---|---|---|---|---|---|---|
| 1330876 | use properly contrasting colors if the desktop theme specifies white on black for text colors [tor 6786] | RESOLVED | Core | Graphics: Color Management | Chung-Sheng Fu [:cfu] | [fingerprinting] gfx-noted [tor][fp:m2] | |
| 1337161 | Disable navigator.getGamepads() when privacy.resistFingerprinting = true | RESOLVED | Core | DOM: Device Interfaces | Chung-Sheng Fu [:cfu] | [tor][fingerprinting][fp:m2] | |
| 1369357 | Making Firefox not to use site specific zoom level when 'privacy.resistFingerprinting' is true | VERIFIED | Firefox | General | Chung-Sheng Fu [:cfu] | 1377820 | [fingerprinting][tor][fp:m2] |
| 1369330 | Make javascript use English locale when 'privacy.resistFingerprinting' is true | RESOLVED | Core | JavaScript Engine | [fingerprinting][tor][fp:m2] | ||
| 1369327 | Making reader view users uniform when 'privacy.resistFingerprinting' is true | RESOLVED | Toolkit | Reader Mode | Jonathan Hao (inactive) [:jhao] | [fingerprinting][tor][fp:m2] | |
| 1333641 | Disable WebSpeech API when privacy.resistFingerprinting is enabled | RESOLVED | Core | Web Speech | Tim Huang[:timhuang] | [tor][fingerprinting][fp:m2] | |
| 1333651 | Spoofing Navigator API when resisting fingerprinting is enabled | RESOLVED | Core | DOM: Security | Tim Huang[:timhuang] | 1337161, 1369303 | [tor][fingerprinting][domsecurity-backlog1][fp:m2] |
| 1369303 | Spoof/Disable performance API when 'privacy.resistFingerprinting' is true | VERIFIED | Core | DOM: Core & HTML | Tim Huang[:timhuang] | [fingerprinting][tor][fp:m2] | |
| 1369309 | Neutralize the threat of fingerprinting of media statistics when 'privacy.resistFingerprinting' is true | VERIFIED | Core | Security | Tim Huang[:timhuang] | [fingerprinting][tor][fp:m2] | |
| 1369319 | Disable device sensors when 'privacy.resistFingerprinting' is true | RESOLVED | Core | DOM: Device Interfaces | Tim Huang[:timhuang] | 1390391 | [fingerprinting][tor][fp:m2] |
| 1369328 | Open popup windows in new tabs when 'privacy.resistFingerprinting' = true | RESOLVED | Core | DOM: Security | Tim Huang[:timhuang] | [fingerprinting][tor][fp:m2][domsecurity-active] | |
| 1372069 | Neutralize the threat of fingerprinting of geolocation API when 'privacy.resistFingerprinting' is true | RESOLVED | Core | DOM: Geolocation | Tim Huang[:timhuang] | [fingerprinting][tor][fp:m2] | |
| 1372072 | Neutralize the threat of fingerprinting of network information API when 'privacy.resistFingerprinting' is true | RESOLVED | Core | DOM: Core & HTML | Tim Huang[:timhuang] | [fingerprinting][tor][fp:m2] |
13 Total; 0 Open (0%); 10 Resolved (76.92%); 3 Verified (23.08%);
MVP: M3 Bugs List (2017-09-25 Firefox 58)
| ID | Summary | Status | Product | Component | Assigned to | Depends on | Whiteboard |
|---|---|---|---|---|---|---|---|
| 863246 | resource:// URIs leak information (Tor 8725) | VERIFIED | Core | Security | Chung-Sheng Fu [:cfu] | 1395286, 1395486, 1433715 | [tor][fingerprinting][fp:m3] |
| 967895 | Prompt (w/ Site Permission) before allowing content to extract canvas data (Tor 6253) | RESOLVED | Core | Graphics: Canvas2D | Chung-Sheng Fu [:cfu] | 1260931, 1382111, 1412961, 1415874, 1431909, 1452391, 1453916 | [tor][fingerprinting][fp:m3][ux] |
| 1039069 | Warn the user that customizing the preferred language list (Accept-Language) can be used for fingerprinting | RESOLVED | Firefox | Settings UI | Chung-Sheng Fu [:cfu] | 1515001 | [tor][fingerprinting][fp:m3][ux] |
| 1217290 | Add fingerprinting resistance for WebGL (Tor 16005) | RESOLVED | Core | Graphics: CanvasWebGL | Chung-Sheng Fu [:cfu] | [tor][tor-standalone][fingerprinting][fp:m3] | |
| 1330892 | <isindex> leaks user locale | RESOLVED | Core | DOM: HTML Parser | 1266495 | [fingerprinting][tor][fp:m3] | |
| 1222285 | Keyboard layout is leaked by KeyboardEvent | RESOLVED | Core | DOM: UI Events & Focus Handling | Tim Huang[:timhuang] | 1439784, 1433592, 1438795, 1470828 | [tor 15646][tor 17009][tor-standalone][fingerprinting][fp:m3][fp-triaged] |
6 Total; 0 Open (0%); 5 Resolved (83.33%); 1 Verified (16.67%);
Fingerprinting P2 Bugs List
| ID | Summary | Status | Product | Component | Assigned to | Depends on | Whiteboard |
|---|---|---|---|---|---|---|---|
| 467035 | <!DOCTYPE> ignores contentaccessible, leaks DTD strings and therefore browser UI locale | RESOLVED | Core | XML | Alex Catarineu (Tor Browser dev) | 1228117 | [sg:low][fingerprinting][fp-triaged][tor 30304][adv-main70-] |
| 1396468 | Spoof navigator.oscpu as 'Windows NT 6.1; Win64; x64' when resisting fingerprinting is enabled | RESOLVED | Core | DOM: Security | Ethan Tseng [:ethan] | [tor][fingerprinting][domsecurity-active] | |
| 1393283 | privacy.resistFingerprinting should change the user agent to 52, not 50 | RESOLVED | Core | DOM: Security | Ethan Tseng [:ethan] | [tor][fingerprinting][domsecurity-active] | |
| 1433592 | Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites that use those keys with resistFingerprinting enabled | VERIFIED | Core | DOM: UI Events & Focus Handling | Arthur Edelstein [:arthur] | [fingerprinting-breakage][tor 17009] | |
| 1354633 | blank MediaError.message when resisting fingerprinting | RESOLVED | Core | Audio/Video: Playback | Chung-Sheng Fu [:cfu] | [tor 21792][fingerprinting][fp:m3] | |
| 1382533 | When resisting fingerprinting, don't expose local IP Addresses via mDNS | RESOLVED | Core | DOM: Core & HTML | Chung-Sheng Fu [:cfu] | [tor 22165][fingerprinting][fp:m3] | |
| 1511763 | privacy.resistFingerprinting: Fix calculation of spoofed ESR version for ESR >= 68.0 | RESOLVED | Core | DOM: Security | Chris Peterson [:cpeterson] | [domsecurity-active][fp-triaged] | |
| 1511434 | privacy.resistFingerprinting: Change spoofed OS version to Windows 10 and macOS 10.14 | RESOLVED | Core | DOM: Security | Chris Peterson [:cpeterson] | [tor][fingerprinting][domsecurity-active][fp-triaged] | |
| 1408702 | Resist fingerprinting causes scrollbar glitch in Firefox 58 | RESOLVED | Core | Layout | Emilio Cobos Álvarez (:emilio) | [tor][fingerprinting-breakage] | |
| 1436226 | Hardcode VP8/VP9 algorithm choice when resisting fingerprinting | RESOLVED | Core | Audio/Video: Playback | Fatih Kilic [:fkilic] | [tor 22548] [fingerprinting][fp-triaged] | |
| 1876636 | With privacy.resistFingerprinting track.label & track.getSettings().deviceId differ from enumerateDevices() | RESOLVED | Core | WebRTC: Audio/Video | Jan-Ivar Bruaroey [:jib] (needinfo? me) | ||
| 1948457 | Window rounding fingerprinting protection no longer works with vertical tabs enabled, all windows created maximized | NEW | Firefox | Sidebar | [fidefe-sidebar] | ||
| 1485249 | WebGL extensions should be disabled when private.resistFingerprinting is enabled | NEW | Core | Graphics: CanvasWebGL | [tor 6370][gfx-noted][fingerprinting][fp-triaged] | ||
| 1690038 | Scrollbar is enabled and disabled based on a setting in macOS system preferences | RESOLVED | Core | DOM: Security | [fingerprinting][tor 22632] | ||
| 1397996 | scrollbar thickness reveals platform | NEW | Core | DOM: Core & HTML | [tor][fingerprinting][fp-triaged][tor 22137] | ||
| 1519122 | In RFP Mode, spoof the modifier state "Meta" in OSX into a "Ctrl" state in keyboard events. | RESOLVED | Core | DOM: UI Events & Focus Handling | 1404608, 1405810 | [tor][fingerprinting] | |
| 1414311 | New window size is different than expected after changing screen dpi (with privacy.resistFingerprinting pref enabled) | NEW | Core | Privacy: Anti-Tracking | [fingerprinting][fp-triaged][tor 30970] | ||
| 1041818 | take steps to mitigate canvas fingerprinting | NEW | Core | Graphics | 665630, 1502831, 1647906 | [fingerprinting][tor][fp-triaged] | |
| 1470828 | privacy.resistFingerprinting breaks some shortcut keys | RESOLVED | Core | DOM: UI Events & Focus Handling | [fingerprinting][fp-triaged] | ||
| 1456378 | privacy.resistFingerprinting breaks image cropping in Expensify | RESOLVED | Core | DOM: Security | [domsecurity-backlog1][fingerprinting][fp-triaged] | ||
| 1564422 | Change `outputLatency` and `getOutputTimestamp` when `resistFingerPrinting` is enabled | RESOLVED | Core | Web Audio | Paul Adenot (:padenot) | ||
| 1290481 | Implement mitigations for opaque response storage in the DOM cache | RESOLVED | Core | DOM: Core & HTML | Tom Tung [:tt, :ttung] | 1468434, 1367309, 1398043, 1398231, 1402581 | [storage-v1][fingerprinting][adv-main57-] |
| 1384330 | Don't expose window.navigator.mozAddonManager data when privacy.resistFingerprinting=true | VERIFIED | Toolkit | Add-ons Manager | Tim Huang[:timhuang] | [tor 21684][fingerprinting][fp:m3] | |
| 1460145 | privacy.resistfingerprinting breaks the square selection on the HOT Tasking Manager | RESOLVED | Core | DOM: Security | Tim Huang[:timhuang] | [domsecurity-backlog1][fingerprinting][fp-triaged] | |
| 1468957 | privacy.resistFingerprinting set to true breaks https://www.google.com/streetview/ | RESOLVED | Core | DOM: Security | Tim Huang[:timhuang] | [domsecurity-backlog1][fingerprinting][fp-triaged] | |
| 1446472 | privacy.resistFingerprinting is true blocks QR code (canvas) on web.whatsapp.com without any notice | RESOLVED | Core | Graphics: Canvas2D | Tim Huang[:timhuang] | [fingerprinting] [gfx-noted][fp-triaged] | |
| 1492766 | Fingerprinting protection for pointerEvent.pointerid | RESOLVED | Core | DOM: Events | Tim Huang[:timhuang] | [fingerprinting][fp-triaged] | |
| 1382545 | Animation API exposes high-res time stamp | RESOLVED | Core | DOM: Animation | Tim Huang[:timhuang] | 1217238 | [tor 16337][fingerprinting][fp:m3] |
| 680300 | Restrict discoverability of protocol handlers [Tor 1623] | RESOLVED | Core | Networking | Tim Huang[:timhuang] | 1514834 | [fingerprinting][probing][necko-backlog][tor] |
| 1461454 | Support Resist Fingerprinting in canPlayType and Media Capabilities APIs | RESOLVED | Core | Audio/Video: Playback | Tom Ritter [:tjr] | [tor 13543][fingerprinting][fp-triaged] | |
| 1393662 | Making IsResistFingerprintingEnabled() checks in nsRFPService::ReduceTimePrecisionAs* inline and changing the name of nsRFPService::ReduceTimePrecisionAs* into MaybeReduceTimePrecisionAs* | RESOLVED | Core | DOM: Security | Tom Ritter [:tjr] | [fingerprinting][tor][domsecurity-backlog][fp:m4] | |
| 1337157 | privacy.resistFingerprinting should disable WEBGL_debug_renderer_info | RESOLVED | Core | Graphics: CanvasWebGL | Tom Ritter [:tjr] | 1171228 | gfx-noted, [tor][fingerprinting] |
| 1376865 | Do not display Canvas Prompt unless triggered by user input | VERIFIED | Core | Graphics: Canvas2D | Tom Ritter [:tjr] | 967895 | [tor][fingerprinting][gfx-noted][fp:m4] |
| 1407366 | When privacy.resistFingerprinting=true, dynamically round content dimensions | RESOLVED | Core | Window Management | Tom Ritter [:tjr] | 1594455, 1790988, 1489493, 1595394, 1620347, 1640548, 1744439, 1788839 | [fingerprinting][fp-triaged][tor 14429] |
| 1621433 | In RFP mode, turn the all-white canvas into a fully random 'poison pill' | RESOLVED | Core | DOM: Security | Tom Ritter [:tjr] | [fingerprinting][domsecurity-active] | |
| 1397757 | Need "Learn More" page for HTML5 Canvas warning of fingerprinting resistance | VERIFIED | Firefox | Page Info Window | Tom Ritter [:tjr] | [tor][fingerprinting][fp-triaged] | |
| 1693861 | Collect Telemetry for how many users have enabled RFP | RESOLVED | Core | DOM: Security | Tom Ritter [:tjr] | [domsecurity-active] | |
| 1447592 | Don't reset privacy.spoof_english when privacy.resistFingerprinting is flipped back to false | RESOLVED | Firefox | Security | Tom Ritter [:tjr] | [fingerprinting-breakage] | |
| 1827576 | RFP Math sin/cos/tan spoofing missing for asm.js | RESOLVED | Core | JavaScript: WebAssembly | Tom Schuster (MoCo) | 531915, 1823880 | |
| 1485266 | When privacy.resistFingerprinting = true, use stand-ins for native colors | RESOLVED | Core | Graphics: Color Management | Gary Chen [:xeonchen] | [tor][gfx-noted][fingerprinting][fp-triaged] | |
| 1486258 | Regression tests to check that new Intl APIs respect privacy.spoof_english | RESOLVED | Core | JavaScript: Internationalization API | Gary Chen [:xeonchen] | [tor 26611][fingerprinting][fp-triaged] | |
| 1492587 | Ensure the date picker does not leak user locale when "privacy.spoof_english" == 2 | RESOLVED | Toolkit | UI Widgets | Gary Chen [:xeonchen] | [tor 21787][fingerprinting][fp-triaged] | |
| 1560574 | ftp:// on Windows can be used to leak the system time zone (Tor 30800) | RESOLVED | Core Graveyard | Networking: FTP | Gary Chen [:xeonchen] | 1564434 | [fingerprinting][tor 30800] [necko-triaged] |
43 Total; 5 Open (11.63%); 34 Resolved (79.07%); 4 Verified (9.3%);
Fingerprinting P3-P5 Bugs List
| ID | Summary | Status | Priority | Product | Component | Assigned to | Depends on | Whiteboard |
|---|---|---|---|---|---|---|---|---|
| 1561322 | UI locale is detectable by button width | RESOLVED | -- | Firefox | Untriaged | Alex Catarineu (Tor Browser dev) | [tor 24056] | |
| 1581537 | Browser UI locale is leaked in several ways | RESOLVED | P3 | Core | DOM: Core & HTML | Alex Catarineu (Tor Browser dev) | [tor 30683][fingerprinting] | |
| 1383495 | Spoofing Navigator API platform as Win64 when resisting fingerprinting is enabled | RESOLVED | P3 | Core | DOM: Security | Ethan Tseng [:ethan] | 1472618 | [tor][fingerprinting][fp:m3][domsecurity-active] |
| 1121643 | Add an option to only expose whitelisted system fonts to avoid fontlist fingerprinting (Tor 13313) | RESOLVED | P3 | Core | Graphics: Text | Arthur Edelstein [:arthur] | 1306715, 1426544, 1458364 | [gfx-noted] [tor][fingerprinting] |
| 1308340 | checkbox in about:preferences#privacy for privacy.resistFingerprinting (Tor 20244.1) | RESOLVED | -- | Firefox | Settings UI | Arthur Edelstein [:arthur] | [tor][fingerprinting][fp-backlog][fp-triaged] | |
| 267645 | Page can obtain path to Mozilla installation or possibly profile by examining JavaScript exceptions | RESOLVED | P3 | Core | Security | Boris Zbarsky [:bzbarsky] | 268370, 503228 | [sg:want] stepping-stone [fingerprinting][fp-triaged][adv-main75-] |
| 1372073 | Neutralize the threat of fingerprinting of media devices API when 'privacy.resistFingerprinting' is true | RESOLVED | P3 | Core | WebRTC: Audio/Video | Chung-Sheng Fu [:cfu] | [fingerprinting][tor][fp:m3] | |
| 1382499 | Touch API leaks absolute screen coordinates | RESOLVED | P3 | Core | DOM: Events | Chung-Sheng Fu [:cfu] | [tor 10286][fingerprinting][fp:m3] | |
| 583181 | Don't reveal navigator.buildID to every site on the web | RESOLVED | P3 | Core | DOM: Core & HTML | Chris Peterson [:cpeterson] | 966030, 1216225, 1493490 | [fingerprinting] |
| 1635011 | resistFingerprinting: Bump spoofed OS versions to macOS 10.15 and Android 9 | RESOLVED | P3 | Core | DOM: Security | Chris Peterson [:cpeterson] | 1511434 | [domsecurity-active] |
| 1680365 | RFP userAgent/header on Android doesn't follow Fenix naming convention | RESOLVED | P3 | Core | DOM: Security | Chris Peterson [:cpeterson] | [domsecurity-backlog1] | |
| 1711179 | resistFingerprinting: Bump spoofed Android OS version to 10 | RESOLVED | P3 | Core | DOM: Security | Chris Peterson [:cpeterson] | 1635011 | [domsecurity-active] |
| 1832598 | Smooth scrolls are disabled if the user prefers-reduced-motion regardless of fingerprint resistance | RESOLVED | -- | Core | Layout: Scrolling and Overflow | Dan Robertson (:dlrobertson) | ||
| 1390465 | disable or limit WebVTT with privacy.resistFingerprinting | RESOLVED | P3 | Core | Audio/Video: Playback | Fatih Kilic [:fkilic] | [tor][fingerprinting][fp-triaged] | |
| 1422862 | Make OffscreenCanvas respect Canvas Permission Prompt so you don't always get a placeholder | ASSIGNED | P3 | Core | Graphics: Canvas2D | Fatih Kilic [:fkilic] | 967895 | [fingerprinting][gfx-noted][fp-triaged][fpp:m8] |
| 1507280 | Ensure the reporting URI respects Resist Fingerprinting wrt locale | RESOLVED | P3 | Core | DOM: Security | Fatih Kilic [:fkilic] | 1492036 | [fingerprinting][fp-triaged][domsecurity-backlog] |
| 1781277 | Do not base storage estimate on user's disk when RFP is enabled | ASSIGNED | -- | Core | Storage: Quota Manager | Fatih Kilic [:fkilic] | 1735713 | |
| 1832845 | Remove the pref `autoDeclineNoUserInputCanvasPrompts` | RESOLVED | -- | Core | Privacy: Anti-Tracking | Fatih Kilic [:fkilic] | 1832681 | |
| 1834307 | Smooth scrolls are disabled if the user prefers-reduced-motion regardless of fingerprint resistance | VERIFIED | P3 | Core | Layout: Scrolling and Overflow | Fatih Kilic [:fkilic] | 1832598 | |
| 1871789 | RFPTarget PointerEvents leaks mozPressure + mozInputSource | RESOLVED | -- | Core | DOM: Events | Fatih Kilic [:fkilic] | ||
| 1891690 | EXSLT leaks timezones also when RFP is enabled | RESOLVED | -- | Core | XSLT | Fatih Kilic [:fkilic] | ||
| 1899736 | Can not use 2nd webcam at webcamtests.com with privacy.resistFingerprinting enabled | RESOLVED | -- | Firefox for Android | Media | Fatih Kilic [:fkilic] | 1900402 | |
| 1914839 | Port resist fingerprinting logic from MediaCapabilities decode side to the encode side | ASSIGNED | -- | Core | Audio/Video: Recording | Fatih Kilic [:fkilic] | ||
| 1924087 | SVG Switch Element leaks language even with spoof language | RESOLVED | P3 | Core | Privacy: Anti-Tracking | Fatih Kilic [:fkilic] | ||
| 1944211 | RFPTarget PointerEvents mozPressure not compat | RESOLVED | -- | Core | DOM: Events | Fatih Kilic [:fkilic] | ||
| 1222924 | Stop exposing the moz-icon URL scheme to the web | RESOLVED | P3 | Core | Graphics: ImageLib | :Gijs (he/him) | [gfx-noted][fingerprinting][fp:m4][adv-main59-] | |
| 1478158 | Guard prefers-reduced-motion by Resist Fingerprinting pref | RESOLVED | P3 | Core | CSS Parsing and Computation | Hiroyuki Ikezoe (:hiro) | 1479230, 1479239 | [fingerprinting] |
| 1459089 | Even when resistFingerprinting is enabled, FF leaks the OS locale in the accept headers | RESOLVED | -- | Firefox for Android Graveyard | General | Igor Oliveira | [fingerprinting] | |
| 1538130 | privacy.resistFingerprinting should not create windows with rounded dimensions when letterboxing is enabled | RESOLVED | P5 | Core | Window Management | Kestrel | 1407366 | [fingerprinting][tor] |
| 654550 | Preference to disable video statistics | RESOLVED | -- | Core | Audio/Video | leonard.beck | [tor] [fingerprinting] | |
| 1673237 | ignore svg.disabled=false in about pages | RESOLVED | -- | Core | SVG | sanketh | [tor 27002] | |
| 1601040 | Add UI for modifying resistFingerprinting prefs when privacy.resistFingerprinting is enabled | RESOLVED | -- | Firefox | Settings UI | morgan (Tor Project) | [tor 32325][fingerprinting] | |
| 572650 | [meta] Reduce the amount of data and entropy sent out in HTTP requests | NEW | P5 | Core | Networking: HTTP | 566434, 736373, 1556223, 1609304, 414057, 527886, 572652, 572656, 572659, 572661, 572665, 572667, 572668, 581008, 581783, 582421, 583181, 584683, 586165, 588909, 588913, 591537, 591573, 630357, 643352, 648186, 669814, 697383, 728582, 728585, 728831, 728888, 728894, 728952, 729089, 757726, 765048, 793978, 799899, 817450, 1054739, 1090433, 1313580, 1861847, 1873273 | [fingerprinting][necko-would-take][fp-triaged] | |
| 732096 | Add a preference to prevent local font enumeration | RESOLVED | P3 | Core | Layout | 1121643 | [fingerprinting][tor][tor-standalone] | |
| 779197 | Use a protocol not accessible from content | RESOLVED | P3 | Add-on SDK Graveyard | General | 820213, 852297 | [fingerprinting] | |
| 811582 | window JS object provides a large amount of identifiable information | RESOLVED | -- | Core | DOM: Core & HTML | [fingerprinting][fp-triaged] | ||
| 903959 | custom resource://foo/ allows fingerprinting addons | RESOLVED | -- | Core | Security | [fingerprinting] | ||
| 1077986 | offline storage permission setting not working correctly | RESOLVED | -- | Firefox | Settings UI | [tor][fingerprinting] | ||
| 1216800 | some chrome code may be incorrectly receiving spoofed devicePixelRatio | RESOLVED | -- | Core | DOM: Core & HTML | [fingerprinting] | ||
| 1233691 | Redesign mediaDevices.enumerateDevices() API | RESOLVED | -- | Core | WebRTC | |||
| 1314448 | Create a build target that adds --disable-webrtc to the mozconfig | RESOLVED | P3 | Release Engineering | General | [tor][tor-testing][fingerprinting] | ||
| 1315203 | XSHM: Cross Site History Manipulation (information leakage) | NEW | P3 | Core | DOM: Navigation | 1436489 | [fingerprinting][fp-triaged] | |
| 1320465 | Favicon is added to bookmark in Private Browsing mode | VERIFIED | -- | Firefox | Private Browsing | |||
| 1330882 | When privacy.resistFingerprinting = true, set new windows to rounded dimensions [tor 19459] | REOPENED | P3 | Core | XUL | 1475973, 1600044, 1352141, 1352305, 1353894, 1355717, 1364398, 1401440, 1418537 | [fingerprinting][tor][fp-triaged] | |
| 1364261 | Make UTC Timezone Spoofing optional when privacy.resistfingerprinting = true | RESOLVED | P3 | Core | Privacy: Anti-Tracking | 1401440 | [tor][fingerprinting-breakage][fp-backlog][fp-triaged] | |
| 1392844 | Ensure that Stylo respects privacy.resistFingerprinting | RESOLVED | P3 | Core | Layout | [tor][fingerprinting][stylo][fp-backlog] | ||
| 1394735 | Enabling privacy.resistFingerprinting causes jank in jquery scrolling | RESOLVED | -- | Core | Layout | 1424341 | [fingerprinting][fp-triaged] | |
| 1398303 | Local Storage not cleared by Clear Recent History | VERIFIED | -- | Core | DOM: Core & HTML | [tor][fingerprinting] | ||
| 1399279 | initial viewport too small for fullscreen WebApps with privacy.resistFingerprinting enabled | RESOLVED | P5 | Firefox for Android Graveyard | Web Apps (PWAs) | [fingerprinting][fp-triaged][tor-mobile] | ||
| 1400582 | Deleting all history still leaves some traces that can be used to precisely track individual users. | RESOLVED | P3 | Core | Storage: IndexedDB | [tor][fingerprinting] | ||
| 1401493 | Perform Fingerprint Comparison of Tor Browser and Firefox | NEW | P3 | Firefox | Settings UI | 1403813, 1403876, 1413707, 1413837, 1413842, 1414001, 1414153, 1428331 | [tor][fingerprinting][fp-triaged] | |
| 1403099 | game in http://www.best.io/paper-io has very bad performance due to anti-fingerprinting setting (needs higher resolution timer) | RESOLVED | P5 | Core | DOM: Security | 1424341 | [domsecurity-backlog][fingerprinting][fp-triaged] | |
| 1403747 | When privacy.resistFingerprinting is true, warn users not to maximize their window | NEW | P5 | Core | Window Management | [tor][fingerprinting][fp-triaged] | ||
| 1405842 | Devices returned from enumerateDevices have the same deviceId across originattributes | RESOLVED | -- | Core | WebRTC: Audio/Video | [usercontextId][tor] | ||
| 1409809 | Constantly remind people about privacy.resistFingerprinting | RESOLVED | -- | Firefox | Security | [fingerprinting-breakage] | ||
| 1409974 | KeyboardEvent.location could be used as a user behavior fingerprinting vector. | NEW | P3 | Core | DOM: UI Events & Focus Handling | [fingerprinting][fp-triaged] | ||
| 1418537 | Bad window height set when bookmarks toolbar is open with resistfingerprinting option | RESOLVED | P3 | Core | Window Management | [fingerprinting][fp-triaged][tor 27845] | ||
| 1420234 | The privacy.resistFingerprinting flag interferes with the JS Date object | RESOLVED | -- | Core | JavaScript Engine | [fingerprinting] | ||
| 1422482 | OS username disclosure using downloads manager | NEW | P3 | Firefox | Downloads Panel | [fingerprinting][tor] | ||
| 1422890 | Add additional Canvas Fingerprinting Tests | NEW | P3 | Core | Graphics: Canvas2D | [fingerprinting][gfx-noted][fp-triaged] | ||
| 1425130 | Sensor API exposes a High-Res timestamp | RESOLVED | P3 | Core | DOM: Security | [fingerprinting][domsecurity-backlog1][fp-triaged] | ||
| 1428331 | HiDPI and privacy.resistFingerprinting | RESOLVED | -- | Core | Layout | 1554751 | [fingerprinting][fp-triaged] | |
| 1432506 | Implement the Canvas Permission Prompt on Fennec | RESOLVED | P3 | Firefox for Android Graveyard | General | 1413780 | [fingerprinting][fp-triaged] | |
| 1433815 | Ensure EnableOrientationChangeListener respects privacy.resistFingerprinting | RESOLVED | P3 | Core | DOM: Core & HTML | [tor-mobile][fingerprinting][fp-triaged] | ||
| 1437266 | Navigating back on youtube sometimes fails and restarts the current video with resistFingerprinting enabled | RESOLVED | P3 | Core | DOM: Security | 1776678, 1803976 | [fingerprinting][domsecurity-backlog1][fp-triaged] | |
| 1437349 | Detect if user install certain software with external protocol | RESOLVED | -- | Core | DOM: Security | [fingerprinting] | ||
| 1439784 | Fix the KeyboardEvent mochitests | NEW | P3 | Core | DOM: UI Events & Focus Handling | 1358653, 1438795 | [tor][fingerprinting][fp-triaged] | |
| 1442863 | Smooth scrolling implementations perform badly with resistFingerprinting's reduced timer precision | RESOLVED | P3 | Core | DOM: Core & HTML | [fingerprinting][fp-triaged] | ||
| 1450401 | mozFullScreen leaks exact screen resolution | NEW | P3 | Core | Window Management | [fingerprinting][fp-triaged] | ||
| 1450561 | Resist screen elements dimensions fingerprinting | RESOLVED | P5 | Core | DOM: Security | [tor][fingerprinting][domsecurity-backlog1][fp-triaged] | ||
| 1462115 | privacy.resistfingerprinting affects the timezone displayed in native file picker dialogs | RESOLVED | P3 | Core | DOM: Security | 1491343 | [tor][fingerprinting][domsecurity-backlog1][fp-triaged] | |
| 1466025 | enforce DNT header when privacy.resistFingerprinting=true | RESOLVED | P3 | Core | DOM: Security | [fingerprinting][domsecurity-backlog1][fp-triaged] | ||
| 1472808 | For privacy.resistFingerprinting, spoof Keyboard Layout according to content locale | NEW | P3 | Core | DOM: UI Events & Focus Handling | [tor][fingerprinting][fp-triaged] | ||
| 1485258 | When privacy.spoof_english is true, don't reveal locale by charset fallback | NEW | P3 | Core | DOM: HTML Parser | [tor 20025][fingerprinting][fp-triaged] | ||
| 1485268 | When privacy.resistFingerprinting = true, Reader mode shouldn't parse on load | RESOLVED | -- | Toolkit | Reader Mode | [tor] | ||
| 1485280 | Prevent fingerprinting by SpeechRecognition | RESOLVED | P3 | Core | Web Speech | [tor][fingerprinting][fp-triaged] | ||
| 1490728 | Improve discoverability/explanation of RFP | NEW | P3 | Core | DOM: Security | [tor][fingerprinting][domsecurity-backlog1][fp-triaged] | ||
| 1492775 | Consider how to do fingerprinting resistance for pointer events for mobile | RESOLVED | P3 | Core | DOM: Events | 1507495 | [fingerprinting][fp-triaged] | |
| 1507879 | Investigate getClientRects for fingerprinting | NEW | P3 | Core | DOM: CSS Object Model | 1538718 | [tor 29564][fingerprinting][fp-triaged] | |
| 1529391 | Don't spoof version number in User Agent with privacy.resistFingerprinting enabled | RESOLVED | P3 | Core | DOM: Security | [fingerprinting][domsecurity-backlog] | ||
| 1535761 | [meta] Remove native theming for content | RESOLVED | P3 | Core | Widget | 1381938, 1411425, 1615026, 1615028, 1615105, 1615830, 1618260, 1619425, 1620246, 1620297, 1620307, 1620360, 1620362, 1620451, 1620476, 1620479, 1621319, 1621331, 1625716, 1627961, 1638821, 1646558, 1671401, 1671516, 1671703, 1673287, 1674010, 1675132, 1682210, 1682731, 1685010, 1685196, 1685225, 1685962, 1685963, 1686606, 1686613, 1687177, 1687178, 1687202, 1687838, 1687865, 1687881, 1688325, 1688978, 1689094, 1689098, 1689252, 1689286, 1689477, 1689615, 1689848, 1690140, 1690194, 1690842, 1690910, 1690954, 1691064, 1691183, 1692306, 1693591, 1694059, 1695984, 1696378, 1696437, 1696988, 1697053, 1697055, 1697110, 1698284, 1698302, 1698318, 1698336, 1698343, 1698783, 1698969, 1699800, 1699930, 1700794, 1700802, 1702282, 1702755, 1709634, 1764172 | [fingerprinting][overhead:noted][fp-triaged] [not-a-fission-bug] | |
| 1539503 | Ensure CSS device-pixel-ratio (and related) and imgset/srcset obeys Fingerprinting Resistance | RESOLVED | -- | Core | CSS Parsing and Computation | [fingerprinting][tor] | ||
| 1542676 | Round subpixel accuracy of window properties to integers when resistfingerprinting is enabled | NEW | P3 | Core | DOM: Core & HTML | [tor 26607][fingerprinting] | ||
| 1560816 | screen size under privacy.resistFingerprinting should return nearest closest common resolution instead of exact window dimensions | RESOLVED | P3 | Core | DOM: Security | [domsecurity-backlog3] | ||
| 1586657 | Dialog for spoofing the locale in resist-fingerprinting-mode contains non-localized buttons | RESOLVED | P3 | Core | Internationalization | [tor 31980] | ||
| 1607027 | css @media device-pixel-ratio and RFP | RESOLVED | -- | Core | CSS Parsing and Computation | |||
| 1615419 | Panopticlick says browser has a unique fingerprint even with privacy.resistFingerprinting = true and Content Blocking: Strict | RESOLVED | -- | Core | Privacy: Anti-Tracking | |||
| 1615483 | hide VR devices when privacy.resistFingerprinting = true | RESOLVED | -- | Core | WebVR | [fingerprinting] | ||
| 1621988 | Some Google Docs Shortcuts still don't work under Resist Fingerprinting | RESOLVED | P3 | Core | DOM: Security | [tor][fingerprinting][domsecurity-backlog1] | ||
| 1625771 | privacy.resistFingerprinting: Fix calculation of spoofed ESR version (affecting releases >=76) | RESOLVED | -- | Core | DOM: Security | |||
| 1628373 | Lie better about desktop platform when privacy.resistFingerprinting is set to true | RESOLVED | -- | Core | DOM: Security | |||
| 1640449 | Privacy and security features should prevent localhost and local network WebSocket abuse | RESOLVED | P3 | Core | DOM: Networking | [fingerprinting][necko-triaged] | ||
| 1670199 | RFP + font visibility = 1: entropy improvements | RESOLVED | -- | Core | Layout: Text and Fonts | |||
| 1672093 | css @media RFP + window/screen subpixel entropy | REOPENED | P3 | Core | CSS Parsing and Computation | |||
| 1677733 | Bookmarks toolbar for new tabs changes screen resolution for new window when privacy.resistFingerprinting is turned on | NEW | P3 | Firefox | Bookmarks & History | [sng] | ||
| 1708593 | Enhance resist fingerprinting: Disable web audio (API) by default when privacy.resistFingerprinting is enabled | RESOLVED | -- | Core | Security | |||
| 1709330 | audit PDF.js for RFP and dFPI | RESOLVED | P5 | Firefox | PDF Viewer | [pdfjs-integration] | ||
| 1758520 | Disable WebGPU when RFP is enabled | RESOLVED | -- | Core | Graphics: WebGPU | |||
| 1762390 | Should Gecko_MediaFeatures_MatchesPlatform account for ResistFingerprinting? | RESOLVED | -- | Core | DOM: CSS Object Model | |||
| 1772711 | privacy.resistFingerprinting caps fps to 60 | RESOLVED | P3 | Core | Privacy: Anti-Tracking | |||
| 1781172 | report real world system font set when enable privacy.resistFingerprinting | RESOLVED | -- | Core | Layout: Text and Fonts | |||
| 1818894 | RFP: harden network information protection | RESOLVED | -- | Core | DOM: Core & HTML | [fingerprinting] | ||
| 1823580 | Act as though intl.regional_prefs.use_os_locales is false when RFP is enabled | NEW | -- | Core | DOM: Security | [domsecurity-backlog] | ||
| 1825378 | RFP offscreen canvas allows extension override | RESOLVED | -- | Core | Graphics: Canvas2D | |||
| 1876810 | With privacy.resistFingerprinting, "☑ Remember this decision" forgetting which camera and microphone was shared is confusing | NEW | P3 | Core | WebRTC: Audio/Video | 1876636 | ||
| 1909736 | RFP: hide textDecoration's underline computedStyle on links | NEW | -- | Core | CSS Parsing and Computation | |||
| 1947439 | RFP new window size is off because of roundings on partial values | NEW | P3 | Core | Window Management | |||
| 1954170 | PreXULSkeletonUI doesn't trigger RoundWindowSize RFP Target | NEW | P3 | Core | Privacy: Anti-Tracking | |||
| 1957254 | RFP: provide [more plausible] hardwareConcurrency per OS | NEW | -- | Core | DOM: Core & HTML | |||
| 1595823 | Fix the AudioContext's sample-rate if privacy.resistFingerprinting is enabled | RESOLVED | P3 | Core | Web Audio | Paul Adenot (:padenot) | [fingerprinting] | |
| 1397994 | CSS line-height reveals platform | RESOLVED | P5 | Core | CSS Parsing and Computation | Pier Angelo Vendrame | [tor 23104][tor 23701][tor 29563][fingerprinting][fp-triaged] | |
| 1745715 | Bundled fonts should have Base visibility even when they are also system-wide installed | RESOLVED | P3 | Core | Layout: Text and Fonts | Pier Angelo Vendrame | ||
| 1746668 | Use web exposed locales instead of regional locales where appropriate | ASSIGNED | -- | Firefox | Settings UI | Pier Angelo Vendrame | 1846224 | |
| 1787790 | getComputedStyle reports a wrong family for system fonts under certain conditions | RESOLVED | -- | Core | Layout: Text and Fonts | Pier Angelo Vendrame | [fingerprinting] | |
| 1880108 | Placeholders on the datetime widget ignore spoof English | RESOLVED | -- | Toolkit | UI Widgets | Pier Angelo Vendrame | ||
| 1900648 | XSLT error messages can leak browser UI language | RESOLVED | -- | Core | XSLT | Pier Angelo Vendrame | 1959147 | [tor 42288][fingerprinting] |
| 1404608 | Do not lie about Operating System when privacy.resistFingerprinting is true | RESOLVED | P3 | Core | DOM: Security | Tim Huang[:timhuang] | [domsecurity-backlog3][fingerprinting-breakage] | |
| 461204 | Boundary delimiter for HTTP file posts is static. That is wrong according to RFC. | RESOLVED | -- | Core | DOM: Core & HTML | Tom Ritter [:tjr] | [sg:low][tor 22919][adv-main74-] | |
| 1314443 | Audit the existing disable WebRTC preferences and ensure they work as advertised | ASSIGNED | P3 | Core | WebRTC | Tom Ritter [:tjr] | [tor][fingerprinting][tor-mobile][fp-triaged] | |
| 1448046 | Can we remove the window.Components shim? | REOPENED | P3 | Core | DOM: Core & HTML | Tom Ritter [:tjr] | 1448048 | |
| 1509829 | privacy.resistFingerprinting: UA header, upstream Tor 26146 | RESOLVED | P3 | Core | DOM: Security | Tom Ritter [:tjr] | [tor][fingerprinting][domsecurity-backlog1][fp-triaged] | |
| 1518839 | In RFP: Only Spoof the OS in the User Agent; and do not lie in the HTTP Header | RESOLVED | -- | Core | DOM: Security | Tom Ritter [:tjr] | 1404608, 1405810 | [tor 26146][fingerprinting] |
| 1577243 | Unconditionally clamp the requestAnimationFrame timestamp (and clamp/jitter it in RFP mode) | RESOLVED | -- | Core | DOM: Animation | Tom Ritter [:tjr] | ||
| 1607316 | Implement separate fingerprinting resistance treatment of @media interaction features for desktop and android | RESOLVED | -- | Core | Layout | Tom Ritter [:tjr] | [fingerprinting][tor 32886] | |
| 1666160 | Users enable `privacy.resistFingerprinting` and then are surprised when it causes problems | RESOLVED | P3 | Core | DOM: Security | Tom Ritter [:tjr] | 1929134 | [domsecurity-backlog1] |
| 1885258 | Remove the IsHidden Exemption for Font Allowlist | RESOLVED | -- | Core | Layout: Text and Fonts | Tom Ritter [:tjr] |
126 Total; 29 Open (23.02%); 94 Resolved (74.6%); 3 Verified (2.38%);
Fingerprinting Resolved Bugs
167 Total; 167 Open (100%); 0 Resolved (0%); 0 Verified (0%);