Tor Browser auto resize feature functional in Qubes?

In Qubes dom0 have ultimate control over window position/size. VM
application isn’t asked before doing any move/resize operation. What VM
application can do, is to advertise that some window should not be
maximized, some minimum/maximum size. And if application really want, it
can undo the change.
Not sure what to do here to not introduce too much complexity.

Maybe disable maximizing at all for this window? Possibly with some option
to disable the protection? Not a good UX… But how useful/often is
maximizing TorBrowser window? IIUC this leaks screen resolution, so
isn’t a good idea.

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Not great UX and possibly fingerprintable since on other platforms users are doing this.

[quote=“marmarek, post:21, topic:1480”]
But how useful/often is maximizing TorBrowser window?[/quote]
Very. I suspect it’s a very common thing.

[quote=“marmarek, post:21, topic:1480”]
IIUC this leaks screen resolution, so isn’t a good idea.[/quote]
Not so much. TBB developers implemented to round up resolutions up to common sizes recently.

So we really have a Qubes vs Non-Qubes difference here that results in a fingerprinting vector.

Started VNC session (vnc4server, not x11vnc), so window doesn’t interact directly with Qubes GUI agent. It uses kwin as window manager. And still nothing happens when resizing the window (no automatic correction, no gray area, etc). But there is a warning about maximizing. So there is some difference (not sure if warning presence itself is fingerprintable).

Interestingly when I switch to fullscreen (F11), there is no warning, in none of the cases (VNC, direct Qubes).

All tests done in Whonix workstation.

I advice to test qubes-template-debian based AppVM vs non-Qubes Debian
to get Whonix out of the equation.

The same result. What is expected behavior? Is it only about missing maximize warning? Or also something should happen on any resize?


The same result.

To be expected. My point is just, to figure out a non-Qubes Debian vs
qubes-template-debian issue it’s a lot better to not use Whonix. Thereby
anything that Whonix does is guaranteed from not interfering. Otherwise
what we are chasing just gets more complicated and could theoretically
be a Whonix issue. As a best debugging practice.

Yes, Whonix wasn’t involved in the second test.

No. I think we can forget about maximize warning… I’ve tested with Tor Browser 6.0a4 hardened: there is no maximization warning message anymore. Neither in plain Debian nor in Qubes Debian template.

Resolution plain Debian vs Qubes Debian template should match. But does not. Included in the following bug report…

Answer is included in the following bug report…

Tor Browser 6.0a4 hardened: there is no maximization warning message anymore. Neither in plain Debian nor in Qubes Debian template.

yes it doesnt. but u r talking about alpha releases, how about stable releases ? till now stable releases giving the same warning, in other word users of stable TBB inside Qubes-Whonix r traceable with page size problem, until either TBB releases their stable version of 6 or Whonix fix this now.

Good day,

Like said before, the TBB is able to obfuscate your real resolution, as long as JS is turned of. And once it is turned on, there are far bigger tracking factors in play, which is why at this point I don’t see a problem arising from this.
Have a nice day,


Got asked just now if this is still an issue.


Can you still reproduce this bug?

1 Like

still an issue , TBB cant know what size the screen running into. (no warnings when you full size the screen)

1 Like

TB fixed it by using letterboxing (commented on github ticket as well)

1 Like

Readings are from JavaScript Browser Information - BrowserLeaks :

TB version: 11.0.14

  • Tor browser in plain debian

  • Tor browser in whonix virtualbox

  • Tor browser in whonix qubes

From the readings above there is no identifier to Qubes specific.

1 Like

I suppose you used VirtualBox in windowed mode? In other words, I suppose you used VirtualBox not in full screen mode?

First we need data… The relevant output in textual format as a summary to make an easy comparison…

  • Screen Resolution 1000x600
  • Full Leak Test 1280x800
  • Screen Resolution 1000x500
  • Fullscreen Leak Test 1280x703
  • Screen Resolution 1000x600
  • Fullscreen Leak Test 1368x768

I suppose this was tested on the very same hardware?

Now that we have the data in summary… It’s easier to compare and make conclusions…

So there is a difference in Fullscreen Leak Test in plain Debian versus Qubes-Whonix. Right?

Could you please confirm that,

  • Qubes Debian App Qube equals
  • Qubes-Whonix-Workstation App Qube?

I guess it does but I am sure this will come up at qubes-issues.

Also for testing in this case the following things should be irrelevant:

  • Whonix
  • Tor Browser

What would be a valid test otherwise?

  • A) plain Debian + Firefox, versus
  • B) Qubes Debian App Qube + Firefox.


  • Because ideally Qubes GUI implementation should neither rely on Tor Browser to fix this issue using letterboxing (which does probably not suffice as seen above), nor
  • should it rely on Whonix for it.

Screen resolution on plain Debian versus Qubes Debian App Qube using Firefox should be the same on the same hardware anyhow in the interest of Qubes alone, no?


vbox and debian plain: yes
qubes on different machine

if using the same screen/monitor size there are no differences, the fullscreen leak test is no specific where TB/FF installed its just a real leak happen due to browser level issue (the result above different because the results came out from two different monitors sizes because qubes has its own machine).

yes it is equal (FF or TB)

so like i said now this is browser leak issue not OS issue.

1 Like

To demonstrate that there is a operating system specific screen resolution fingerprinting issue, it needs to be done on the same hardware or at least the same monitor with the same desktop resolution.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]