@Bot
Can you list the protections that would be activated by
Privacy.resist.fingerprinting set to true
in Firefox 145.0.1?
You’re right that Firefox 145 added some anti‑fingerprinting that works
even with `
privacy.resistFingerprinting = false` (for sites classified as “Suspected Fingerprinters”).
Setting `
privacy.resistFingerprinting = true` is a separate,
stronger, Tor-inspired bundle that applies to
all sites.
Below is what is generally enabled by `
privacy.resistFingerprinting = true` (in 145.0.1 as far as Mozilla’s public docs and existing RFP design indicate). I cannot guarantee this is 100% exhaustive for exactly 145.0.1, but these are the main, documented protections.
1. User agent and platform spoofing
- Standardized User-Agent string (e.g. fixed OS / platform, reduced version info).
- Properties such as:
- `navigator.platform`
- `navigator.oscpu`
- `navigator.appVersion`
- `navigator.userAgent`
are made less specific / unified across users.
- `Accept-Language` and some locale‑related headers/JS APIs are reduced in entropy (typically limited to a small, common set).
2. Timezone and locale
- Your timezone is exposed as UTC to websites (JS `Date`, `Intl.DateTimeFormat`, etc.).
- Date/time formatting APIs are made more uniform to avoid leaking locale/region details.
- Various time‑related APIs get reduced precision and randomization (see next section).
3. High‑resolution timers & side channels
- Timer precision is lowered and jittered, for example:
- `performance.now()`
- `Date.now()`
- `requestAnimationFrame`
- `setTimeout` / `setInterval`
- This hinders:
- fine‑grained fingerprinting using micro‑timings
- some timing side‑channel attacks (e.g. measuring cache behavior, hardware details).
4. Screen / window metrics
With RFP
on, these protections apply
globally, not just to “suspected fingerprinters”:
- Window sizes are quantized/rounded to specific buckets.
- Screen‑related values are standardized, including:
- `screen.width` / `screen.height`
- `screen.availWidth` / `screen.availHeight`
- `window.innerWidth` / `window.innerHeight`
- In combination with `privacy.resistFingerprinting.letterboxing = true`, Firefox adds letterboxing (gray margins) so that resizing the window always snaps to fixed “safe” sizes.
5. Hardware & input properties
Some of these are now also used for “Suspected Fingerprinters” in 145 (as you quoted), but with RFP they should be enforced
everywhere:
- `navigator.hardwareConcurrency` is clamped to:
- 4 if you have ≤ 4 cores
- 8 if you have > 4 cores
- `navigator.maxTouchPoints` is reported as 0, 1, or 5 (anything >1 becomes 5).
- Other device‑capability signals (e.g. some media device info) are reduced or coarsened.
- APIs such as Battery API, some sensor APIs and similar high‑entropy sources are disabled or heavily restricted.
6. Canvas, WebGL, audio, and similar APIs
Again, 145 introduces canvas noise even without RFP for known fingerprinters; with RFP enabled, these protections are applied more broadly and aggressively:
- Canvas:
- Reading back canvas data (`toDataURL`, `getImageData`, etc.) returns noised results.
- This affects canvas‑based fingerprinting without generally breaking normal rendering.
- WebGL:
- Vendor/renderer strings and some capabilities are spoofed or reduced.
- Precision / behavior of some WebGL features is standardized to reduce entropy.
- AudioContext:
- Audio fingerprinting through `AnalyserNode`, oscillator characteristics, etc. is made less reliable (standardization and/or noise).
7. Fonts and text metrics
Some of this is now part of the “new protections” you quoted (local fonts restricted based on locale). With RFP, font‑related fingerprinting is more broadly constrained:
- Access to locally installed fonts is heavily restricted; sites see a more uniform font set.
- Font enumeration is made unreliable or blocked via standard APIs.
- Text measurement (width/height) is less dependable as a fingerprinting vector because font choices and metrics are standardized.
8. Miscellaneous entropy reductions
- Various JS / DOM APIs that can leak subtle system details either:
- return generic values
- or are disabled entirely.
- Some media / device enumeration is simplified (e.g. fewer details about specific microphones/cameras, or only after explicit user interaction and permission).
- Some storage / cross‑site tracking mechanisms become harder to use for fingerprinting (in combination with ETP).
How this relates to the new Firefox 145 protections you quoted
From what you posted:
- Canvas noise
- Local font restrictions
- Touch points clamped to 0/1/5
- Available screen height = screen height − 48px
- hardwareConcurrency = 4 or 8
These are now active for domains that fall under
“Suspected Fingerprinters” in Enhanced Tracking Protection,
even if `privacy.resistFingerprinting = false`.
When you set `
privacy.resistFingerprinting = true`:
- Those same protections apply to all sites, not only to entries on Mozilla’s fingerprinting list.
- You additionally get the older Tor‑style RFP bundle: timezone=UTC, UA/platform spoofing, window size rounding/letterboxing (if enabled), timer degradation, further API restrictions, etc.
Important caveat
I don’t have Mozilla’s
version‑145‑specific internal changelog, so there may be minor additions or tweaks I’m not seeing. The list above reflects the
publicly documented RFP behavior carried forward into recent versions, plus the 145 changes you already quoted.
If you want to empirically see the difference on your own setup, a good approach is:
- Test with `privacy.resistFingerprinting = false` using:
- Then set `privacy.resistFingerprinting = true`, restart Firefox, and repeat.
- Compare:
- Timezone
- UA / OS / platform
- Screen / window sizes
- Number of cores / touch points
- Canvas and WebGL behavior
That will show you very clearly which extra protections RFP is adding on top of the new 145 defaults.
but, with FF having enabled Standard protection by default (Fingerprinting) should I also enable it in about:config as Privacy.ResistFingerprinting was set to False? Or, does the browser setting automatically take care of it and leave the about:config to False?
