Ensure the date picker does not leak user locale when "privacy.spoof_english" == 2  
    Categories
(Toolkit :: UI Widgets, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | fixed | 
People
(Reporter: arthur, Assigned: xeonchen)
References
(Blocks 1 open bug)
Details
(Whiteboard: [tor 21787][fingerprinting][fp-triaged])
Attachments
(2 files)
| Reporter | ||
| Comment 1•7 years ago
           | ||
| Updated•7 years ago
           | 
| Updated•7 years ago
           | 
| Updated•6 years ago
           | 
| Assignee | ||
| Comment 2•6 years ago
           | ||
spoof locale on datepicker to English when privacy.spoof_english == 2
| Updated•6 years ago
           | 
| Updated•6 years ago
           | 
| Comment 3•6 years ago
           | ||
I'd prefer to have the spoofing be part of LocaleService, than being sprinkled all around our front end code to override calls to LocaleService.
| Assignee | ||
| Comment 4•6 years ago
           | ||
Hi Arthur,
I know Georg have already mentioned in [1], but seems the values of the date field and the picker are unlikely to leak the locale unless there's a bug in Firefox (and if it does, we should fire another bug).
So I'd like to propose this as WONTFIX, do you have any comment?
[1] https://trac.torproject.org/projects/tor/ticket/21787#comment:8
| Reporter | ||
| Comment 5•6 years ago
           | ||
Hi Gary, as we discussed in a meeting, there's a concern that the element width may vary under different locales. Would be useful to test to see if that is the case. Thanks!
| Assignee | ||
| Comment 6•6 years ago
          • | ||
(In reply to Arthur Edelstein [:arthur] from comment #5)
Hi Gary, as we discussed in a meeting, there's a concern that the element width may vary under different locales. Would be useful to test to see if that is the case. Thanks!
Yeah, I'm going to close this as WONTFIX based on below statement. Please correct me and feel free to reopen this if I was wrong.
Experiment
I've tested on different locales, and according to [1] there are 4 major types of separators.
But seems Firefox only uses slash or dot.
- Use '/' as separator: 108x22.5
- ar
- en-US
- es-ES
- fr
- hi-IN
- ja
- zh-CN
- zh-TW
 
- Use '.' as separator: 108x22.5
- de
- fi
 
In [2] it's declared as |display: flex|, so I presume the width is not going to be changed.
[1] https://en.wikipedia.org/wiki/Date_format_by_country
[2] https://searchfox.org/mozilla-central/rev/dc0adc07db3df9431a0876156f50c65d580010cb/toolkit/content/widgets/datetimebox.css#8
| Updated•6 years ago
           | 
| Comment 7•6 years ago
           | ||
(In reply to Gary Chen [:xeonchen] from comment #6)
(In reply to Arthur Edelstein [:arthur] from comment #5)
Hi Gary, as we discussed in a meeting, there's a concern that the element width may vary under different locales. Would be useful to test to see if that is the case. Thanks!
Yeah, I'm going to close this as WONTFIX based on below statement. Please
correct me and feel free to reopen this if I was wrong.==============
= Experiment =I've tested on different locales, and according to [1] there are 4 major
types of separators.
But seems Firefox only uses slash or dot.
- Use '/' as separator: 108x22.5
- ar
- en-US
- es-ES
- fr
- hi-IN
- ja
- zh-CN
- zh-TW
- Use '.' as separator: 108x22.5
- de
- fi
In [2] it's declared as |display: flex|, so I presume the width is not going
to be changed.
Thanks for making this experiment. If you look at our patch then you'll see that there is much more than the separator that is taken care of. For instance, we spoof the default labels that get used, say, for displaying "year" in the respective locale. If you compare id and sv-SE in this case you end up with
Tahun
år
which seem to take up quite some different space. Are you saying that's okay, too, due to |display: flex|? If so, great. Could we get a test then that makes sure this actually stays the same in the future for the things we care about here? Otherwise this feels a quite brittle to me.
| Assignee | ||
| Comment 8•6 years ago
           | ||
(In reply to Georg Koppen from comment #7)
Thanks for making this experiment. If you look at our patch then you'll see that there is much more than the separator that is taken care of.
Thanks for you comment. I'm not an expert on front-end, so please correct me if I'm wrong.
The patch for this issue in the Tor Browser consists two parts, one for the input field and the other part is for the date picker panel, and we don't think the latter will be necessary because web content should not able to retrieve the size of the picker, right?
For instance, we spoof the default labels that get used, say, for displaying "year" in the respective locale. If you compare
idandsv-SEin this case you end up withTahun
år
I don't see those two words during the experiment of the given locales.
Would you tell me how to reproduce this?
which seem to take up quite some different space. Are you saying that's okay, too, due to |display: flex|? If so, great. Could we get a test then that makes sure this actually stays the same in the future for the things we care about here? Otherwise this feels a quite brittle to me.
Yes, I totally agree we should have tests to promise the size will keep the same, I can file a bug after the discussion.
| Comment 9•6 years ago
           | ||
(In reply to Gary Chen [:xeonchen] from comment #8)
(In reply to Georg Koppen from comment #7)
Thanks for making this experiment. If you look at our patch then you'll see that there is much more than the separator that is taken care of.
Thanks for you comment. I'm not an expert on front-end, so please correct me
if I'm wrong.The patch for this issue in the Tor Browser consists two parts, one for the
input field and the other part is for the date picker panel, and we don't
think the latter will be necessary because web content should not able to
retrieve the size of the picker, right?For instance, we spoof the default labels that get used, say, for displaying "year" in the respective locale. If you compare
idandsv-SEin this case you end up withTahun
årI don't see those two words during the experiment of the given locales.
Would you tell me how to reproduce this?
I don't have a test for that but I can try coming up with one. I was just looking at the code and using the respective &date.year.label; entities and assuming that a carefully crafted website could detect the different widths of the localized entities e.g. by some elements overflowing or something. Arthur: did we test that case back then or did you patch the code just to be sure?
| Comment 10•6 years ago
           | ||
Actually (to give you an idea about what we are concerned about), if you go to https://blog.nightly.mozilla.org/2017/06/12/datetime-inputs-enabled-on-nightly/ taking, say, en-US and de, you see that the second "Try it out" checkbox has a different width depending on whether it is populated with "mm/dd/yyyy" (en-US) or "TT.MM.JJJJ" (de) and I think that's measurable by the website.
Let me know if that's enough for you or if I should create an actual test.
| Assignee | ||
| Comment 11•6 years ago
           | ||
(In reply to Georg Koppen from comment #10)
Actually (to give you an idea about what we are concerned about), if you go to https://blog.nightly.mozilla.org/2017/06/12/datetime-inputs-enabled-on-nightly/ taking, say, en-US and de, you see that the second "Try it out" checkbox has a different width depending on whether it is populated with "mm/dd/yyyy" (en-US) or "TT.MM.JJJJ" (de) and I think that's measurable by the website.
Let me know if that's enough for you or if I should create an actual test.
Yes, they are:
161.067x33.5 (en-US)
157.4x33.5 (de)
Thanks for the example!
| Assignee | ||
| Comment 12•6 years ago
           | ||
It seems to me there's no feasible way to obtain the dimension of the date picker, so I'm not going to patch this part but only the input field part.
Do you have any concern about it?
| Comment 13•6 years ago
           | ||
(In reply to Gary Chen [:xeonchen] from comment #12)
It seems to me there's no feasible way to obtain the dimension of the date picker, so I'm not going to patch this part but only the input field part.
How does it behave if you put it inside an iframe that resizes to fit its content? (No idea if this will work; just speculating...)
| Assignee | ||
| Comment 14•6 years ago
           | ||
(In reply to Tom Ritter [:tjr] (On Leave) from comment #13)
(In reply to Gary Chen [:xeonchen] from comment #12)
It seems to me there's no feasible way to obtain the dimension of the date picker, so I'm not going to patch this part but only the input field part.
How does it behave if you put it inside an iframe that resizes to fit its content? (No idea if this will work; just speculating...)
Not sure if this is the case? Please see attached image.
The input field is in the iframe and the picker is not.
| Comment 15•6 years ago
           | ||
(In reply to Gary Chen [:xeonchen] from comment #14)
Created attachment 9049224 [details]
Screen Shot 2019-03-07 at 17.09.09.png(In reply to Tom Ritter [:tjr] (On Leave) from comment #13)
(In reply to Gary Chen [:xeonchen] from comment #12)
It seems to me there's no feasible way to obtain the dimension of the date picker, so I'm not going to patch this part but only the input field part.
How does it behave if you put it inside an iframe that resizes to fit its content? (No idea if this will work; just speculating...)
Not sure if this is the case? Please see attached image.
The input field is in the iframe and the picker is not.
I thought that might be the case but thanks for double checking!
| Comment 16•6 years ago
           | ||
(In reply to Gary Chen [:xeonchen] from comment #12)
It seems to me there's no feasible way to obtain the dimension of the date
picker, so I'm not going to patch this part but only the input field part.Do you have any concern about it?
What do you mean by "only the input field part"? Will the result solve the fingerprinting issue? That said I am not sure either why you don't just use the mechanism introduced in bug 1039069. Would we have users that hit this bug without being exposed to the prompt in bug 1039069 first? If so, this would be problematic. But if not (which I assume is the case) then one could argue that the behavior of the date picker could be bound to the result of the prompt answer (as Arthur did in the patch).
| Updated•6 years ago
           | 
| Assignee | ||
| Comment 17•6 years ago
           | ||
ni?me to update anti-fingerprinting wiki page after landing this.
| Assignee | ||
| Comment 18•6 years ago
          • | ||
(In reply to Gary Chen [:xeonchen] from comment #17)
ni?me to update anti-fingerprinting wiki page after landing this.
done
| Comment 19•6 years ago
           | ||
|   | ||
| Comment 20•6 years ago
           | ||
| bugherder | ||
 Screen Shot 2019-03-07 at 17.09.09.png
 Screen Shot 2019-03-07 at 17.09.09.png
            
Description
•