window.resizeTo() should also use innerHeight/innerWidth instead of outerHeight/outerWidth. Otherwise web pages can open a popup, call window.resizeTo(), and get innerHeight/innerWidth to circumvent the restriction.
On 2019/09/08 13:57, Tom Ritter wrote: > Summary: > window.outerHeight/outerWidth are legacy properties that report the > size of the outer window of the browser. By subtracting against > innerHeight/innerWidth it exposes the size of the user's browser > chrome which can be unique depending on customization, but at the > least reveals non-standardized information that can be used for > fingerprinting purposes. > > I have a hard time figuring out how a website would use it for > (legitimate|reasonable) rendering purposes. I discussed it with Anne > and we'd like to neuter it and see if we can remove this > fingerprintable information if possible. > > Tor Browser (and RFP mode) has reported the values of > innerHeight/innerWidth for outerHeight/outerWidth for a long time and > I haven't seen or heard of any breakage caused as a result of that. > > (We'll also need to spoof window.screenX and window.screenY as > window.mozInnerScreenX and window.mozInnerScreenY respectively.) > > Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1579584 > Standard: https://www.w3.org/TR/cssom-view-1/#dom-window-outerwidth > Platform coverage: All, although TBH I don't know how this behaves on > Android... > > Preference: Yes, this will be controlled by a preference that I'll > flip for Nightly for now and watch for reports of breakage. > > DevTools bug: n/a > Other browsers: I haven't proposed this to any other browsers. > web-platform-tests: I don't believe any WPT actually test for the > correct value here. > Secure contexts: This will be applicable everywhere > > I considered adding telemetry for the properties; but reading them > doesn't imply websites are relying on them for anything. > > -tom > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
