Noob (likely invalid) question about TZP'ing vanilla AF (also vanilla FF + RFP)

[BingoBongoLad]

This is probably just dumbness on my part and obvious to many of you but since I can't come up with a valid answer by myself despite kinda trying, I'm asking here. When I run the TZP test suite while on Firefox 127.0.2 clean profile + vanilla AF user.js v126-1 and no overrides the only 2 values that prevents me from getting a nice green "score" (definitely not what that is but please bear with me here) like I do with TB and MB are always

inner window | 1600 x 900 [✓ LB] [✗ RFP newwin] -- | --

and

[offset] timezone | 2024-07-01 17:09:56 \| 2024-07-01 19:09:56 [-120] [✗ RFP] -- | --

On Firefox 127.0.2 clean profile + privacy.resistFingerprinting set to true just the [offset] timezone value. Now as for the RFP newwin I think 4502 is the cause, and as to why TB and MB are not effected is I believe because the newwin sizes are coded directly inside the browsers (sorry for the lack of proper terminology lol)? But the [offset] timezone value bugs me because I thought RFP was a big whole package pretty much similar across all the FF derivatives but that's not the case? TB and MB give me

[offset] timezone | +00:00 [✓ RFP] -- | --

by the way.

My question(s) is, why is that the case, why is it not the same result on Firefox as it is on TB and MB? Also can Firefox achieve the same result as TB and MB? I know this is not the place to ask, did not want to post on the TZP repo because I saw only technical issues over there but maybe here I'll get an answer.

[Thorin-Oakenpants]

so there's about 2 years worth of letterboxing and betterboxing improvements from Tor Project that we want to uplift to FF, including

• using css grid instead of setting a viewport size directly
  • for example, this means the findbar/docked-console on one tab no longer affects all the other tabs in the same window
• improved handling of floating points (to help stop all the slight 1px off sizes - e.g. having a 99px vertical matte)
  • this still needs work, but it's a big improvement, including logging to troubleshooting
• improved handling with boomark toolbar status
• all the "betterboxing" stuff - https://blog.torproject.org/new-release-tor-browser-135/
• improved default max sizes
• improved protection with maximizing, new window opening, going fullscreen with F11
• maybe tying it to RFP

So FF's settings are 1000 x 1000 max, with stepping - if you're not in that, you fail the RFP newwin. But MB and TB have 1400 x 900, with stepping, so they don't live by the same rules (e.g. resize it to 1000 x 1000 and it will fail, but FF won't). AF uses 1600 x 900 max because we are not a crowd and we want shit to be usable

PS: I was the instigator in getting the sizes increased - https://blog.torproject.org/new-release-tor-browser-130/ Bigger New Windows

[Thorin-Oakenpants]

First we get the timezone name

• e.g. Atlantic/Reykjavik or UTC

Then there is a timezone offsets (plural) test

• this uses 10 dates over 5 years to get the max entropy from all timezone name
  • e.g. https://arkenfox.github.io/TZP/tests/timezones.html, hit combine years and you will see there are 346 possible unique hashes
  • this is checked for validity against the timezone name (kinda) - hence the green tick - it matches the timezone name's expected values - [✓ timezone]

Then there is a timezone offset (single) test

• I didn't know what else to call it and I wanted the timezone stuff to be grouped together
• this test uses lastModifed values (via DOMParser) from an exploit I found
  • and we can also use other objects, such as an iframe
  • lastModifed values are strings, not dates
  • I had to wait 3+ months to add it to TZP, until we patched it in TB/MB stable release
  • this was a regression from FF113 see 1709867 when they changed from setting a TZ variable to using a RFPTarget that could be flipped per site and/on toggled
  • this has been patched in FF .. in FF126 1886687
• based on that exploit, we also found another one using XSLT (or rather EXSLT)
  • this is also a string but includes the actual offset
  • this has not been patched in FF 1891690
  • something something about passing the RFPTarget ... TB doesn't have to worry about this since it doesn't use those, but Firefox does. So this is what is holding it up
• all these lastModifed values are checked for validity against the timezone name, or rather a control date based on the timezone name
  • if all valid methods (parseHTMLUnsafe is FF128+) match .. you get a green [✓ timezone]

So the two tests are independent of each other, checking the timezone name, capisce - hence the ✓ or ✗ timezone] ? Just like how the locale stuff is validated against the actual locale, and *strings are validated against Intl. Because everything in this section should be deterministic.

Here's what the new test looks like when I get around to updating TZP to the next version

So the control says I should be 2024-07-01 18:50:23, and a new date, the lastModifed iframe, lastModifed DOMparser, and lastModified parseHTMLUnsafe all match (lastModifeds all patched in FF126), but the EXSLT exploit doesn't - therefore you fail, and the real timezone is +8.00 (e.g. Singapore - no I am not in Singapore, I changed my system clock for you). At any given time there are I think about 40 different offsets in use around the world - it varies depending on the exact time and DST (daylight savings time) - so it doesn't leak your timezone name, but it's still pretty high entropy (40x)

[Thorin-Oakenpants]

also, check out the new metrics view (when I update to the new TZP version)

• this is TB14 (based on FF128) and using file:// scheme, hence a few failures: canvas doesn't work on file:// and I am waiting for a new release to update some expected values
• the header is sticky
• you can ctrl-c to copy
• you can esc to close (this has always been there)
• you can download the JSON and it's named for you with the platform + brand + version + description and hash
• you can toggle different views
  • these views depend on what you're looking at, e.g. section data, overall fingerprint, health, etc

[Thorin-Oakenpants]

TB and MB are not effected is I believe because the newwin sizes are coded directly inside the browsers

no, they just use the prefs like we do :)

[BingoBongoLad]

Yo my man, thank you so much for answering me in such an exhaustive way! I admit that I don't have a 100%, total, complete understanding of everything but I got quite a fair amount of it, surprisingly. Thank you again!

[Thorin-Oakenpants]

it's quite cathartic to type it out actually :)