Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change 4600s into do not use, #1221 #1225

Merged
merged 10 commits into from
Aug 10, 2021
Merged

change 4600s into do not use, #1221 #1225

merged 10 commits into from
Aug 10, 2021

Conversation

Thorin-Oakenpants
Copy link
Contributor

This is a draft

  • merge 4700's into 4600s
  • remove old numbers in the square brackets
  • remove notation of when RFP kicked in (that info is in 4500s)
  • since we now do not recommend this section
    • cleanup info on each release in README section
    • do away with one char flip
    • move 4616 to deprecated where it belongs
    • remove "optional if..." lines
  • start cleaning up references, descriptions to shorten the section
    • will list what I removed: e.g. bugzillas to when the pref was added are a bit useless

todo / consider

  • 4600 title
  • 4600 section description can be a lot better
  • 4600 link to wiki page on RFP ( issue reminder: wiki page #1218 - that is, if RFP is not for you, then just use Canvas Blocker, which can leak but should fool naive scripts if any get thru etc )
  • do we want to add dom.enable_performance_navigation_timing

while these all fit together as "covered by RFP", some of these seem out of place

  • maybe we could split this into two
    • 4600: "optional without RFP" - these won't hurt RFP but they also won't help your fingerprinting - e.g. font vis, prefers-color, prefers-reduced-motion
    • 4700: "do not use EVER especially with RFP" - these will affect RFP, can break shit, etc, and won't help your fingerprinting - e.g. all the timing stuff, disabling APIs, etc
    • also. the webgl one seems a bit out of place since we disable webgl
    • we could always move some items back to their relevant sections as inactive with some sort of RFP tag/warning

I'm not sure what's the cleanest way to convey this. Anyway, pushing a PR to get some discussion going

@Thorin-Oakenpants
change 4600s into do not use, #1221
6bcf5a9 
This is a draft
- merge 4700's into 4600s
- remove old numbers in the square brackets
- remove notation of when RFP kicked in (that info is in 4500s)
- since we now do not recommend this section
   - cleanup info on each release in README section
   - do away with one char flip
   - move 4616 to deprecated where it belongs
   - remove "optional if..." lines
- start cleaning up references, descriptions to shorten the section
   - will list what I removed: e.g. bugzillas to when the pref was added are a bit useless

todo / consider
- 4600 title
- 4600 section description can be a lot better
- 4600 link to wiki page on RFP ( issue #1218 - that is, if RFP is not for you, then just use Canvas Blocker, which can leak but should fool naive scripts if any get thru etc )
- do we want to add dom.enable_performance_navigation_timing

while these all fit together as "covered by RFP", some of these seem out of place
- maybe we could split this into two
   - 4600: "optional without RFP" - these won't hurt RFP but they also won't help your fingerprinting - e.g. font vis, prefers-color, prefers-reduced-motion
   - 4700: "do not use EVER especially with RFP" - these will affect RFP, can break shit, etc, and won't help your fingerprinting - e.g. all the timing stuff, disabling APIs, etc
   - also. the webgl one seems a bit out of place since we disable webgl
   - we could always move some items back to their relevant sections as inactive with some sort of RFP tag/warning

I'm not sure what's the cleanest way to convey this. Anyway, pushing a PR to get some discussion going
@Thorin-Oakenpants
Copy link
Contributor Author

references removed so far

4601: spoof number of CPU cores [FF48+]

  • bugzilla is only for when it was added, and I don't think we need tor tickets or even to explain what it is
   // [1] https://bugzilla.mozilla.org/1008453
   // [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675
   // [3] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127
   // [4] https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency

4607: disable giving away network info [FF31+]

  • bugzilla is just when the API was added
   // [3] https://bugzilla.mozilla.org/960426

4619: [2510] disable Web Audio API [FF51+]

  • bugzilla is just for when the pref was added
   // [1] https://bugzilla.mozilla.org/1288359

@Thorin-Oakenpants
fixup each release info
e7ba888 
we can make prefs inactive which aren't deprecated
@Thorin-Oakenpants
more trimming/clarity
e28abc8 
work in progress, prototyping

- 4604
   - 1357733 is a duplicate of [1359076](https://bugzilla.mozilla.org/show_bug.cgi?id=1359076) which was non-stable -> [1462308](https://bugzilla.mozilla.org/show_bug.cgi?id=1462308) which I listed for now, where certain Sensor APIs were disabled in FF62+ - see [this](https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/62#APIs_2) - so swap 1357733 with 1462308
   - remove tor ticket: it adds nothing: it just says, ooh, flip this pref
- 4604: part two: we need to update what the threat is
   - added MDN Sensor API status page
   - I need to check but AFAIK, only orientation and motion is left: motion has some precision (that's the 1292751 bugzilla)
   - left in for now: the PoC - but 99% sure (see above bullet point) it doesn't apply anymore to FF
- 4606: we don't need the tor issue: the FP info is listed in the description (USB device ID enumeration)
- 4607: wicg is all we need
- 4610: bugzilla adds nothing, it's just a reference to the pref being added, tor ticket also adds nothing: FPing issue is in description

anyway, that's four more lines less noise
@Thorin-Oakenpants
misc
2ba66da 
- align indent on all the section and subsection lines
- rename 4600 to NON-RFP
- since it's "optional", we better tag stuff like 4650 with a warning
@Thorin-Oakenpants
oophs
7c5f1cf
@Thorin-Oakenpants
more cleanup
89b7dd0 
5 more lines gone
- 4604: PoC does not apply
- 4605: make title more accurate, trim description into one line
- 4613: https://developer.mozilla.org/docs/Web/Events/devicechange adds nothing
- 4614: we don't need the bugzilla of when this was added to the API
@Thorin-Oakenpants
MOAR trimming
23b173d 
20 more lines gone
- wiki links are old: e.g. last updated 2012, 2015
- some MDN links can be replaced by using the API name in the item title, and some links don't really add anything
- effectively remove all references: not here to explain the issue, we do not recommend using these
- if a user wants to know what the threat is, they are already linked to the RFP tickets that each one addresses
@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Aug 8, 2021
edited
Loading

I consider this ready to push

  • 3500+ bytes and 63 lines saved
  • also we don't need to link the the wiki reminder: wiki page #1218 : i.e "is RFP for you" - that's for the 4500 section header

Edit: Ahhh, I was wondering what the missing 4609 was: it was geo.enabled - moved out in v59 (RFP stopped handling geo as it was behind a prompt)

@Thorin-Oakenpants Thorin-Oakenpants mentioned this pull request Aug 9, 2021
Closed
@Thorin-Oakenpants Thorin-Oakenpants merged commit 4b38e20 into master Aug 10, 2021
@Thorin-Oakenpants Thorin-Oakenpants deleted the Thorin-Oakenpants-patch-1 branch August 10, 2021 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@earthlng earthlng Awaiting requested review from earthlng

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Thorin-Oakenpants