Closed BingoBongoLad closed 6 days ago
so there's about 2 years worth of letterboxing and betterboxing improvements from Tor Project that we want to uplift to FF, including
So FF's settings are 1000 x 1000
max, with stepping - if you're not in that, you fail the RFP newwin
. But MB and TB have 1400 x 900
, with stepping, so they don't live by the same rules (e.g. resize it to 1000 x 1000 and it will fail, but FF won't). AF uses 1600 x 900 max because we are not a crowd and we want shit to be usable
PS: I was the instigator in getting the sizes increased - https://blog.torproject.org/new-release-tor-browser-130/ Bigger New Windows
First we get the timezone name
Then there is a timezone offsets
(plural) test
combine years
and you will see there are 346 possible unique hashesThen there is a timezone offset
(single) test
timezone name
parseHTMLUnsafe
is FF128+) match .. you get a green [✓ timezone]So the two tests are independent of each other, checking the timezone name, capisce - hence the ✓ or ✗ timezone]
? Just like how the locale stuff is validated against the actual locale, and *strings
are validated against Intl
. Because everything in this section should be deterministic.
Here's what the new test looks like when I get around to updating TZP to the next version
So the control says I should be 2024-07-01 18:50:23
, and a new date, the lastModifed iframe, lastModifed DOMparser, and lastModified parseHTMLUnsafe all match (lastModifeds all patched in FF126), but the EXSLT exploit doesn't - therefore you fail, and the real timezone is +8.00 (e.g. Singapore - no I am not in Singapore, I changed my system clock for you). At any given time there are I think about 40 different offsets in use around the world - it varies depending on the exact time and DST (daylight savings time) - so it doesn't leak your timezone name, but it's still pretty high entropy (40x)
also, check out the new metrics view (when I update to the new TZP version)
file://
scheme, hence a few failures: canvas doesn't work on file:// and I am waiting for a new release to update some expected valuesTB and MB are not effected is I believe because the newwin sizes are coded directly inside the browsers
no, they just use the prefs like we do :)
Yo my man, thank you so much for answering me in such an exhaustive way! I admit that I don't have a 100%, total, complete understanding of everything but I got quite a fair amount of it, surprisingly. Thank you again!
it's quite cathartic to type it out actually :)
This is probably just dumbness on my part and obvious to many of you but since I can't come up with a valid answer by myself despite kinda trying, I'm asking here. When I run the TZP test suite while on Firefox 127.0.2 clean profile + vanilla AF user.js v126-1 and no overrides the only 2 values that prevents me from getting a nice green "score" (definitely not what that is but please bear with me here) like I do with TB and MB are always
inner window | 1600 x 900 [✓ LB] [✗ RFP newwin] -- | --and
[offset] timezone | 2024-07-01 17:09:56 \| 2024-07-01 19:09:56 [-120] [✗ RFP] -- | --On Firefox 127.0.2 clean profile +
[offset] timezone | +00:00 [✓ RFP] -- | --privacy.resistFingerprinting
set totrue
just the [offset] timezone value. Now as for the RFP newwin I think4502
is the cause, and as to why TB and MB are not effected is I believe because the newwin sizes are coded directly inside the browsers (sorry for the lack of proper terminology lol)? But the [offset] timezone value bugs me because I thought RFP was a big whole package pretty much similar across all the FF derivatives but that's not the case? TB and MB give meby the way.
My question(s) is, why is that the case, why is it not the same result on Firefox as it is on TB and MB? Also can Firefox achieve the same result as TB and MB? I know this is not the place to ask, did not want to post on the TZP repo because I saw only technical issues over there but maybe here I'll get an answer.