TBB will set its window size to some presets all the time, but when videos or youtube played by TBB and click fullscreen the video, is the letterboxing still in work?
No, the full screen feature will leak your real display dimensions. Websites cannot invoke full screen whenever they want though, there has to be some sort of user input (like a mouse click). You might be able to get a workaround though, by using the picture-in-picture feature to pop out the video, and then full screen the floating video window by double clicking it, but I am not sure if that prevents websites from reading the dimensions of the video window.
3 Likes
hey,
i think there are two full-screen modes: one for tor browser, ie when one presses F11 on any page and the whole tbb will be full-screen (but the menu is still here); one for videos and is also triggered by F11, sometimes “f”, any many times a double-click, and only the video is full screen (ctrl-tab will eit full-screen and switch to the next tab) and the menu is not accessible.
But I have no idea whether the latter allows the website to know the actual full-screen size of the video. At least the controls must have a way to know the width.
So that would mean in either case they are able to know the width. I can’t say about the height, but I would suppose it’s easy to find out in the latter case too.
My 2 cents!
1 Like
I can think of 4 “fullscreen modes” in this context:
- browser window
- website’s video player
- browser’s own built-in video player used when you open a server’s video file directly
- browser’s “Picture-in-Picture” video player that you can spawn from the website’s video player
Fullscreening the browser’s own built-in player does not leak your viewport or resolution size. This player is not running any of the website’s scripts but is simply fetching an URL which points to a video file (such as .mp4) on some server.
Hypothetically it could leak your resolution if the browser itself was sending the player size via request headers or payload to the server, but if you inspect the request with the Network tool (Ctrl+Shift+E) you’ll see the browser uses generic request headers.
But I’m more interested in what’s going in with the browser’s “Picture-in-Picture” video player that Tor Browser 11.0 now supports. To what extent is it independent from the website’s player from which it spawns? If I resize it, will the website’s player see this as a change in its own size?
3 Likes
You are full of knowledge Thanks all
Anyone can answer his question?
Recently I find from a website, clicking the play button on the image, tbb will enter to a fullscreen (like the slide show), is this another mode of fullscreen?
PiP is currently disabled in TB/MB, but we will likely enable it - see compat: Investigate Picture-In-Picture safety (#40147) · Issues · The Tor Project / Applications / Tor Browser · GitLab
AFAICT this is a gecko only solution, and the “picture” popup is protected, i.e you can’t run JS fingerprinting code in or at it etc
If you go to TZP you will see some values not filled in - these include
[ click ]fullscreenElement[F11]fullscreen
try them … go on … the world won’t end (yet). The first is the fullScreen API which requires user actions (not hard to elicit that but not useful for websites if it scares people, e.g. suddenly going fullscreen without their explicit knowledge). The second is if you use F11 and just fullscreen the browser. The first has no protection, the second does … try them, I double dare you to 