I need zoom to not ruin my eyes - is it just too hard to mask the true zoom?

With the letterboxing, it seems like it would mostly not do anything when using a tiling WM with fixed splits. Does that sound right?

> The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later.

Would using a setTimeout() on the window resize event bypass this? Send the data 20-50ms after resize is completed giving enough time for the letterboxing stuff to go away revealing the actual dimensions, or something? They say it only blocks the dimensions during the resize event and FF removes the letterboxing "a few ms later"

> Since we don't believe it's feasible to provide some mode of Chrome that can truly prevent passive fingerprinting, we will mark all related bugs and feature requests as WontFix.

I haven't read all the analyses in the links in that article, but this sounds defeatist and lazy, much unlike a stance that Chromium would take on security or performance on the web.

Contrast the above with what this article says about Firefox:

> Firefox's upcoming letterboxing feature is part of a larger project that started in 2016, called Tor Uplift.

> Part of Tor Uplift, Mozilla developers have been slowly porting privacy-hardening features developed originally for the Tor Browser and integrating them into Firefox.

If you value online privacy, your best choice is Firefox (though it requires some additional manual configuration). Safari comes second (its extensions directory could use more love). The choice where you can add more of your influence to is Firefox — by using it, evangelizing it and by donating (if feasible) to it.

[1]: https://chromium.googlesource.com/chromium/src/+/master/docs...

This isn't just for some power users- it will increase their share among regular people whose pages will load even faster making Firefox popular.

Or are they waiting until the user share falls below 5%? Maybe they should listen to Andy grove and prepare now.

It's truly unfortunate that browsers just punted on security, dumping endless amounts of sensitive information into a purported sandbox. Why bother developing something with a secure mindset to begin with, when you can just band-aid on patches later?! It's the sendmail/ActiveX philosophy all over again, only now with network effects.

When I need actual privacy, I just use Tor which supports most sites and is way more protective of my privacy than firefox. May switch to Brave in the future for this use case as they're adding Tor support but right now Chrome + Tor every once in a while works best for me.

which seems pretty safe

I'm glad to hear the Firefox also give a lot of value to privacy

This is just factually incorrect.

I would actually think the opposite. Wouldn't it be better because then only Google would have that information? Only Google would be able to fingerprint. This is of course under the assumption (which is currently accurate) that Google has the majority share of browsers. But maybe it wouldn't be, because it would teach others how to thwart their fingerprinting.

Screenshot: https://thehackernews.com/2017/10/canvas-browser-fingerprint...

https://www.torproject.org/projects/torbrowser/design/ (see the "HTML5 Canvas Image Extraction" section)

https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-...

https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API

All these other ways do is give people the illusion that they're safe from being tracked, when the reality is that they're tracked just the same, but by fewer people so the data is more valuable. This means that the money is centralizing around the actors with the most inexplicable methods of tracking; which are almost always the worst actors.

I hate it too, even though I'm not blameless. It's impossible to compete without a level playing field, and that playing field needs to be technically enforced, because otherwise we get region shopping and advertising / analytics models that push people to create intractable mechanisms so they can paper over how tracking fed into it.

For example, imagine a world where I'm bidding to show an ad to a visitor of nytimes.com. Now, I may not track the user, but if anyone is, they can incorporate what they know and sell that traffic back to me on a CPA model. All I see is the incoming traffic. I don't track anyone (wink, wink) but there is no difference.

In the long run this will either be solved one way or another, and all these online surveillance capitalism companies will crash and burn. Either we get a web with technical guarantees or we get a balkanized internet where every state makes their own weird laws about what is allowed or not.

> Finally, an extra zoom was applied to the viewport in fullscreen and maximized modes to use as much of the screen as possible and minimize the size of the empty margins. In that case, the window had a "letterbox" (margins at top and bottom only) or "pillbox" (margins at left and right only) appearance. window.devicePixelRatio was always spoofed to 1.0 even when device pixels != CSS pixels.

So presumably the window size is not being reset to real size - firefox just does a smart zoomin. In other words the fake size remains throughout entire session.

Mozilla/5.0 (Linux; Android 6.0.1; SM-G928F Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36

Versus Android Firefox's user agent: Mozilla/5.0 (Android 9; Mobile; rv:66.0) Gecko/66.0 Firefox/66.0

Note how the Chrome browser announces your phone model and software build version to the world.

With regional models with carrier customised software builds, simply the user agent can be used to fingerprint a user.

No, it will be a setTimeout on the document load event that will poll the window size every 100ms from here till the page is evicted by a close or navigation event, increasing the detrimental effect of adtech.

In the bug report [1] it says:

> We haven't yet landed this feature in Tor Browser for at a few reasons: > - ... > - * Tiling window managers on Linux are hard to detect. Any implementation will need to behave appropriately for those.

So it appears they are still working on that.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1407366

It might mean millions of FF users would suddenly struggle with captchas, but it might also mean that site creators just stop using reCaptcha and similar.

In about:config if you search for 'resistFingerprinting' there seem to be sub-settings which you can tweak to disable the timer modifications, but even after tweaking them I wasn't able to get performance to be as smooth as when resistFP was completely disabled.

https://panopticlick.eff.org

In the futur? Tor tabs are already a feature of Brave, as of today