FPP canvas can fail in service workers [1878716]

[Thorin-Oakenpants]

• https://bugzilla.mozilla.org/show_bug.cgi?id=1885471 dupe
• https://bugzilla.mozilla.org/show_bug.cgi?id=1878716
• also https://bugzilla.mozilla.org/show_bug.cgi?id=1889762 for nerds

---

Originally posted by @mik0l in #1716 (comment)

Not always, but sometimes there is a leak in "Service".

1. Start browser and paste into the address bar https://abrahamjuliot.github.io/creepjs/tests/workers.html
2. If there is no leak, close browser and return to step 1.

---

Originally posted by @Thorin-Oakenpants in #1716 (comment)

OK, so I can confirm (nightly 125) - the result in SWers sometimes (I get it almost every time) is not randomized

@tomrittervg see STR ~~in previous comment

this is without FPP

some FPP examples

[Thorin-Oakenpants]

spinning this off to a separate issue so I can track it

[Thorin-Oakenpants]

^ ping! @tomrittervg reminder .. next reminder in 3 more days :)

[tomrittervg]

I have it in my list, I'm in training the next couple days, so I'm not sure if I'll get to it before next reminder ;)

[Thorin-Oakenpants]

no worries, I'll stop pinging you now :) But this is a blocker for #1804 and unlocking the hundreds of millions of arkenfox users into FPP for testing and reporting 👀

[Thorin-Oakenpants]

https://bugzilla.mozilla.org/show_bug.cgi?id=1885471

[tomrittervg]

It looks like the window.open patches in https://bugzilla.mozilla.org/show_bug.cgi?id=1878716 will resolve this also

[Thorin-Oakenpants]

don't forget https://bugzilla.mozilla.org/show_bug.cgi?id=1889762 😃

[Thorin-Oakenpants]

@tomrittervg did you know (at least FF125+) that if you have RFP enabled and you have ETP Strict enabled - that when you relax RFP canvas extraction, FPP kicks in

here's an example showing RFP is on with RFP values for speech engines, media devices, audio context keys + values, etc .. with said conditions above (canvas exception, ETP blue shield .. it's strict)

I wonder if this would happen in TB next ESR since it's already in PB mode (hence FPP by default) - cc @pospeselr

edit: so RFP overrides FPP where RFP is used. But if FPP adds protections not covered by RFP then there's nothing to stop them from being applied - e.g. when RFP canvas is excepted. This is probably fine, since anything FPP adds can only be a net gain

[tomrittervg]

Yeah... I think we should have a bug on file for this. Canvas is just unusual because there's 4 behaviors to account for across the 2 different modes and then 2 ways of exempting a site that affect the modes differently.

[Thorin-Oakenpants]

gah .. still failing: STR

• turn off ETP Strict and use non-PB mode (and disable RFP)
• new session load https://abrahamjuliot.github.io/creepjs/tests/workers.html
• get your real canvas value: for me that is 0e8c9761 (on all four tests)
• turn on ETP Strict
• close browser (and I sanitize everything on close)
• test
• close, open
• test
• rinse repeat

It's not applying any FPP on canvas

[Thorin-Oakenpants]

weird - TZP shows FPP is used .. but that creepy test is showing no changes - it always shows 0e8c9761 which is my real value

edit: even weirder : PB mode is not showing FPP canvas - i,e we are returning the expected values as per TZP test I'm an idiot, accidentally opened file:// instead of https

[Thorin-Oakenpants]

Yeah... I think we should have a bug on file for this. Canvas is just unusual because there's 4 behaviors to account for across the 2 different modes and then 2 ways of exempting a site that affect the modes differently.

https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42556