Closed
Bug 1403813
Opened 8 years ago
Closed 8 years ago
The test result of Geolocation API is different (Tor V.S. Firefox with anti-fingerprinting)
Categories
(Core :: DOM: Geolocation, defect)
Core
DOM: Geolocation
Tracking
()
RESOLVED
INVALID
People
(Reporter: cynthiatang, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fingerprinting][tor])
Preference
- privacy.resistFingerprinting;true
- privacy.firstparty.isolate;true
Step
1. Launch Firefox with anti-fingerprinting
2. Visit https://dev.w3.org/geo/api/test-suite/
3. Click "Test 00001"
4. Click "Test 00002"
Expected result on Tor browser:
- Test 00001: FAIL: Geolocation API not supported by this browser
- Test 00002: FAIL: Geolocation API not supported by this browser
Actual result on Firefox with anti-fingerprinting:
- Test 00001: An error callback was invoked with error [code: PERMISSION_DENIED (1), message: User denied geolocation prompt]
- Test 00002: FAIL: An error callback was invoked unexpectedly with error [code: PERMISSION_DENIED (1), message: User denied geolocation prompt]
Version:
- Firefox: 58.0a1 (2017-09-26)
- Tor browser: 7.0.5 (based on Mozilla Firefox 52.3.0)
- OS: Windows 10
|
||
Comment 1•8 years ago
|
||
This occurs because the `navigator.geolocation` object is visible to the web page. This object is controlled by the `geo.enabled` preference in Firefox; the preferences from comment 0 do not affect it.
|
||
Comment 2•8 years ago
|
||
(In reply to Josh Matthews [:jdm] from comment #1)
> This occurs because the `navigator.geolocation` object is visible to the web
> page. This object is controlled by the `geo.enabled` preference in Firefox;
> the preferences from comment 0 do not affect it.
Josh, thanks for the explanation. :)
Adding more notes here.
Conceptually, the fingerprinting defense against GeoLocation API is not to expose the geographical
location information for a client-side device.
The difference reported in this bug is because Tor Browser and Firefox applied different approaches
to achieve the same effect.
- Tor Browser simply disables GeoLocation API by setting the "geo.enabled" preference as false.
- Firefox tweaks the API implementation throw an exception if "privacy.resistFingerprinting" is true.
To websites, it is just like the user denied the permission.
Verify the effects using https://browserleaks.com/geo.
- Tor Browser 7.0.5: Your browser does not supports W3C Geolocation API
- Firefox 58.0a1: Your browser supports W3C Geolocation API / (1) PERMISSION_DENIED — User denied Geolocation
The approach we used for Firefox was suggested by Ehsan,
(https://bugzilla.mozilla.org/show_bug.cgi?id=1372069#c0)
and it is an effective defense.
The difference between TBB and Firefox is not an issue in this case.
Therefore, I consider to close this bug as invalid.
Arthur, what do you think?
Flags: needinfo?(arthuredelstein)
See Also: → 1372069
|
||
Comment 3•8 years ago
|
||
Hi Ethan -- (In reply to Ethan Tseng [:ethan] - 57 Regression Engineering Support from comment #2)
> Arthur, what do you think?
I agree with all you've said here. Thanks, everyone!
Flags: needinfo?(arthuredelstein)
|
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•