Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

privacy.resistFingerprinting spoofs weird screen resolution

  • 14 replies
  • 2 have this problem
  • 402 views
  • Last reply by hyperfekt

more options

When enabling privacy.resistFingerprinting my detected screen resolution changes from the very normal 1920x1080 to the practically unique 1887x989. What's up with that? I can't believe this is very conducive to preventing fingerprinting.

When enabling privacy.resistFingerprinting my detected screen resolution changes from the very normal 1920x1080 to the practically unique 1887x989. What's up with that? I can't believe this is very conducive to preventing fingerprinting.

Chosen solution

Thanks for the link, that allowed me to trace down the reasoning to https://trac.torproject.org/projects/tor/ticket/4810, as the patch is apparently ported straight from Tor Browser. In Tor Browser not changing the window's real size is deemed essential to preventing fingerprinting. It appears the same is required for privacy.resistFingerprinting to be of any use in Firefox, as such it should be considered to document that the property is not a privacy enhancement for normal users, as many mistakenly think. Spoofing a common resolution instead as I suggested is pointless, because changing the window size alone already destroys any chance of being able to resist fingerprinting.

Read this answer in context 👍 1

All Replies (14)

more options

Computer model and GPU type?

more options

That is how resistFingerprinting works and this is intended behavior. Some specific settings are spoofed to make Firefox look like a generic browser and this includes the screen resolution setting and the time zone (UTC) and the user agent.

You will also notice that the user agent shows Firefox 52 ESR on Windows 7 and not your Linux user agent. User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101

See also:


window.maxInnerWidth window.maxInnerHeight timezone: TZ=UTC

Bug 1330882 - When privacy.resistFingerprinting = true, set new windows to rounded dimensions [tor 19459]

Modified by cor-el

more options

WestEnd said

Computer model and GPU type?

I am running Firefox on a Dell Latitude E5470 with an Intel HD530, however it is running in a virtual machine and as such the GPU is not directly accessible to the browser, but virtualized as 'VMware, Inc. -- llvmpipe (LLVM 4.0, 256 bits)'. However I am not sure what the GPU model has to do with the spoofed parameters? Mind that my real screen resolution remains unchanged.

more options

You can look at my above reply posted a few seconds before your reply in case you missed it.

more options

cor-el said

That is how resistFingerprinting works and this is intended behavior. Some specific settings are spoofed to make Firefox look like a generic browser and this includes the screen resolution setting and the time zone (UTC) and the user agent.

I am aware of that, however the specific value that the screen resolution is spoofed to massively degrades privacy instead of improving it, as there don't seem to be any other browser instances with that specific value on the web. Surely that's not intended, or does every Firefox with privacy.resistFingerprinting = true have that exact value?

Modified by hyperfekt

more options
more options

To my limited understanding that code only deals with the window size as a result of the screen resolution, not the spoofing of the screen resolution?

more options

This is a better place to see what is done:

CalcRoundedWindowSizeForResistingFingerprinting():

more options

What does my resolution test page show:

https://www.jeffersonscher.com/res/resolution.php

On a system with a 1920 x 1200 display, Windows "Text Size" of 125%, mine detects:

JavaScript screen.width x screen.height = 1536 x 960 (true) window.devicePixelRatio = 1.25 device pixels per CSS pixel (true) Computed "true" screen.width x screen.height = 1920 x 1200 (correct)

That remains the same whether the window is maximized or resizable.

I set resistFingerprinting true and now got this with the window maximized:

JavaScript screen.width x screen.height = 1536 x 850 (width true) window.devicePixelRatio = 1 device pixels per CSS pixel (lie) Computed "true" screen.width x screen.height = 1536 x 850 (wrong)

When I restored the window to resizable, the screen.width/height were reduced to match the window size:

JavaScript screen.width x screen.height = 1001 x 801 (lie) window.devicePixelRatio = 1 device pixels per CSS pixel (lie) Computed "true" screen.width x screen.height = 1001 x 801 (wrong)

That's odd. Maybe the intention is to make this particular metric useless rather than universal?

Modified by jscher2000 - Support Volunteer

more options

As screen size it shows 1920x1080 without resistFingerprinting, 1887x989 with it. In both cases the window size is 1887x989 and all pixel ratios are 1. The 1887x989 changes when I change the actual window's size.

So apparently with resistFingerprinting the screen resolution is set to the window size, which prevents finding out the screen resolution but also enables fingerprinting, the exact opposite this preference purports to do. I feel like it would be much more sensible to spoof screen resolution as a common screen resolution that is larger than the current window size.

Modified by hyperfekt

more options

hyperfekt said

I feel like it would be much more sensible to spoof screen resolution as a common screen resolution that is larger than the current window size.

There probably are places where this feature is under refinement. The most typical places to make new feature suggestions are:

more options

I was thinking about opening a bug report, since this seems like it's breaking the feature instead of just being something that would be an added feature.

more options

It looks like this change was made intentionally in Bug #418986:

  • screen.width => report window.innerWidth
  • screen.height => report window.innerHeight

That change is in this patch from June 7, 2015 (Firefox 41): https://hg.mozilla.org/mozilla-central/rev/3abb08512b24#l5.1

I don't know if anyone will be interested in changing it, but you could file a new bug making your pitch.

more options

Chosen Solution

Thanks for the link, that allowed me to trace down the reasoning to https://trac.torproject.org/projects/tor/ticket/4810, as the patch is apparently ported straight from Tor Browser. In Tor Browser not changing the window's real size is deemed essential to preventing fingerprinting. It appears the same is required for privacy.resistFingerprinting to be of any use in Firefox, as such it should be considered to document that the property is not a privacy enhancement for normal users, as many mistakenly think. Spoofing a common resolution instead as I suggested is pointless, because changing the window size alone already destroys any chance of being able to resist fingerprinting.

Modified by hyperfekt