A history of Fingerprinting protection in Firefox

Fingerprinting is a common technique used predominantly by advertising agencies and marketing companies to track people on the Internet.

Mozilla introduced the preference privacy.resistFingerprinting in Firefox 41 as part of the Tor Uplift project.

The official Tor browser is based on Firefox ESR; Tor Uplift aims to introduce patches that the Tor development team makes to the Tor browser to Firefox. See our article on Tor Browser privacy changes coming to Firefox for additional information on Tor Uplift.

These preferences are set to disabled by default usually as they may break things on the Internet.

Fingerprinting protection

Fingerprinting protection is disabled by default in Firefox as it may cause quite a few issues currently when enabled.

Firefox users may notice, for instance, that they cannot install extensions on AMO using the default method thanks to the integrated User Agent spoofing in fingerprinting protection (Mozilla AMO reads the version of the browser as Firefox 52.x regardless of the actual version of the browser).

Firefox users can enable fingerprinting protection in the following way:

1. Load about:config?filter=privacy.resistFingerprinting
2. Double-click on the preference.
   1. A value of True means that the protection is enabled.
   2. A value of False that it is disabled.

Fingerprinting protection started with basic protective features, but changes in recent versions of Firefox added a significant number of additional protections to the privacy feature.

The Ghacks User JS team keeps track of these changes on the project's GitHub page. You find the most important changes and the Firefox version they are implemented in below:

• Firefox 41:  privacy.resistFingerprinting added to the browser. (418989)
• Firefox 50: spoof screen orientation (1281949)
• Firefox 50: hide navigator.plugins and navigator.mimeTypes (1281963)
• Firefox 55: spoof timezone as UTC 0 (1330890)
• Firefox 55: round window sizes to hundreds (1360039)
• Firefox 55: precision of time exposed by JavaScript reduced (1217238)
• Firefox 56: spoof/disable performance API (1369303)
• Firefox 56: spoof navigator API (1333651)
• Firefox 56: disable device sensors (1369319)
• Firefox 56: disable site-specific zoom (1369357)
• Firefox 56: hide gamepads from content (1337161)
• Firefox 56: spoof network info API as "unknown" (1372072)
• Firefox 56: disable Geolocation API (1372069)
• Firefox 56: disable WebSpeech API (1333641)
• Firefox 57: spoof media statistics (1369309)
• Firefox 57: enable fingerprinting resistance for WebGL (1217290)
• Firefox 57: reduce fingerprinting in Animation API (1382545)
• Firefox 57: enable fingerprinting resistance for Presentation API (1382533)
• Firefox 57: disable mozAddonManager Web API (1384330)
• Firefox 58: prompt before allowing canvas data extraction (967895)
• Firefox 59: spoof/block MediaDevices API fingerprinting (1372073)
• Firefox 59: spoof keyboard events and suppress keyboard modifier events (1222285)

Mozilla maintains an incomplete list of information that is blocked or spoofed on the company's support website.

You have granted the website permission.
Your timezone is reported to be UTC
Not all fonts installed on your computer are available to webpages
The browser window prefers to be set to a specific size
Your browser reports a specific, common version number
Your keyboard layout and language is disguised
Your webcam and microphone capabilities are disguised.
The Media Statistics Web API reports misleading information
Any Site-Specific Zoom settings are not applied
The WebSpeech, Gamepad, Sensors, and Performance Web APIs are disabled

The GitHub page lists reported issues and follow-ups as well as pending changes as well.

FOLLOWUPS & BUGS to RFP patches

• 1377744UTC timezone spoof: should not affect extensions
• 1426232UTC timezone spoof: create timezone spoof site permission when RFP=true (similar to canvas, default deny, allow exceptions)
• 1394448UA spoof: breaks AMO
  • you can still install extensions: right-click the + Add to Firefox button and open in a new tab
• 1397994UA spoof: CSS line-height reveals platform
• 1397996UA spoof: scrollbar thickness reveals platform
• 1409269UA spoof: OS leaks over TCP/IP FP'ing
• 1418162UA spoof: Aurora/Nightly spoofs next ESR too early, before it exists, unmasking them as Aurora/Nightly
• 1428111UA spoof: ESR spoof out of whack
• 1433676UA spoof: sub-document UA issues
• 1412961Canvas: when RFP=true breaks extensions using canvas, eg, Screenshots
• 1422862Canvas: OffscreenCanvas doesn't respect Canvas Permission Prompt
• 1422890Canvas: more tests needed
• 1429865Canvas: pref for canvas default permission
• 1418537Window Rounding: bookmark toolbar issues in FF57+
• 1428331Window: HiDPI & RFP
• 1433592Keyboard: don't spoof/suppress CTRL key (regression from 1222285 FF59+)
• 1441295GEO: Revert 1372069 as geo is behind a prompt

PENDING

• 1333933 disable/spoof fingerprintable features
• 1336208 bundle & whitelist fonts
• 1337157 disable WebGL debug renderer info
• 1369299 disable GeoIP/RegionDefault searches
• 1363508 pointer events
• 1392844 ensure that Stylo respects privacy.resistFingerprintin
• 1233846 Webspeech API further anti-FP'ing
• 1404017 option to restrict RFP to PB mode
• 1401440 split RFP into multiple possibilities
• 1428033 mitigate fingerprinting with WebGL
• 1428034 mitigate WebGL's readPixels (kind of a Canvas thing
• 1433350 disable windows user data collection

Closing Words

Fingerprinting protection is a unique feature of the Firefox browser (and compatible web browsers).

While it is undoubtedly possible to reach a similar level of protection with browser extensions, scripts, and modifications, it is good to see that Mozilla is pushing this privacy-enhancing feature.

It is not clear whether this will ever be enabled by default or listed as an option in the Firefox preferences though.

Now You: Do you use privacy add-ons in your browser?