(In reply to j.j. from comment #11) > if the proposal "Remove browser and OS architecture from Firefox's User-Agent string?" > https://groups.google.com/forum/m/#!topic/mozilla.dev.platform/vEMIqgnMxRw > > was done, at least the same removal had to be done in `navigator.oscpu` for fingerprinting reasons. In that thread, dbaron asked if we should keep `navigator.oscpu` so sites can differentiate 32- and 64-bit OS (e.g. to offer compatible software downloads). That would still allow _active_ fingerprinting, but JavaScript might be able to detect other differences between 32- and 64-bit browsers. We could still remove the platform architecture from the UA string to limit _passive_ fingerprinting by servers. Alternately, we could support that use case by making `navigator.userAgent` return a UA string _with_ the platform architecture (like today's current UA string) while the User-Agent header sends a UA string _without_ the platform architecture. Then `navigator.oscpu` could return the empty string "" because it wouldn't be needed. I don't know which is approach is uglier. :) Every browser has a UA string, but only Gecko has `navigator.oscpu`. Returning an empty string "" from `navigator.oscpu` (and using different UA strings in the User-Agent header and `navigator.userAgent`) would be a path converging towards to other browsers. Poking around on GitHub, I see quite a few scripts using `navigator.oscpu` as a fallback option for sniffing the platform, but the half-dozen or so scripts I looked at all verified that `navigator.oscpu` was defined before using it. So we might be able to make `navigator.oscpu` return an empty string "" (or even `undefined`) without significant breakage. Here is the Chromium issue to consider adding `navigator.oscpu` for Gecko compat: https://bugs.chromium.org/p/chromium/issues/detail?id=602611
Bug 1120892 Comment 12 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to j.j. from comment #11) > if the proposal "Remove browser and OS architecture from Firefox's User-Agent string?" > https://groups.google.com/forum/m/#!topic/mozilla.dev.platform/vEMIqgnMxRw > > was done, at least the same removal had to be done in `navigator.oscpu` for fingerprinting reasons. In that thread, dbaron asked if we should keep `navigator.oscpu` so sites can differentiate 32- and 64-bit OS (e.g. to offer compatible software downloads). That would still allow _active_ fingerprinting, but JavaScript might be able to detect other differences between 32- and 64-bit browsers anyways. We could still remove the platform architecture from the UA string to limit _passive_ fingerprinting by servers. Alternately, we could support that use case by making `navigator.userAgent` return a UA string _with_ the platform architecture (like today's current UA string) while the User-Agent header sends a UA string _without_ the platform architecture. Then `navigator.oscpu` could return the empty string "" because it wouldn't be needed. I don't know which is approach is uglier. :) Every browser has a UA string, but only Gecko has `navigator.oscpu`. Returning an empty string "" from `navigator.oscpu` (and using different UA strings in the User-Agent header and `navigator.userAgent`) would be a path converging towards to other browsers. Poking around on GitHub, I see quite a few scripts using `navigator.oscpu` as a fallback option for sniffing the platform, but the half-dozen or so scripts I looked at all verified that `navigator.oscpu` was defined before using it. So we might be able to make `navigator.oscpu` return an empty string "" (or even `undefined`) without significant breakage. Here is the Chromium issue to consider adding `navigator.oscpu` for Gecko compat: https://bugs.chromium.org/p/chromium/issues/detail?id=602611
(In reply to j.j. from comment #11) > if the proposal "Remove browser and OS architecture from Firefox's User-Agent string?" > https://groups.google.com/forum/m/#!topic/mozilla.dev.platform/vEMIqgnMxRw > > was done, at least the same removal had to be done in `navigator.oscpu` for fingerprinting reasons. In that thread, dbaron asked if we should keep `navigator.oscpu` so sites can differentiate 32- and 64-bit OS (e.g. to offer compatible software downloads). That would still allow _active_ fingerprinting, but JavaScript might be able to detect other differences between 32- and 64-bit browsers anyways. We could still remove the platform architecture from the UA string to limit _passive_ fingerprinting by servers. Alternately, we could support platform detection by making `navigator.userAgent` return a UA string _with_ the platform architecture (like today's current UA string) while the User-Agent header sends a UA string _without_ the platform architecture. Then `navigator.oscpu` could return the empty string "" because it wouldn't be needed. I don't know which is approach is uglier. :) Every browser has a UA string, but only Gecko has `navigator.oscpu`. Returning an empty string "" from `navigator.oscpu` (and using different UA strings in the User-Agent header and `navigator.userAgent`) would be a path converging towards to other browsers. Poking around on GitHub, I see quite a few scripts using `navigator.oscpu` as a fallback option for sniffing the platform, but the half-dozen or so scripts I looked at all verified that `navigator.oscpu` was defined before using it. So we might be able to make `navigator.oscpu` return an empty string "" (or even `undefined`) without significant breakage. Here is the Chromium issue to consider adding `navigator.oscpu` for Gecko compat: https://bugs.chromium.org/p/chromium/issues/detail?id=602611
(In reply to j.j. from comment #11) > if the proposal "Remove browser and OS architecture from Firefox's User-Agent string?" > https://groups.google.com/forum/m/#!topic/mozilla.dev.platform/vEMIqgnMxRw > > was done, at least the same removal had to be done in `navigator.oscpu` for fingerprinting reasons. In that thread, dbaron asked if we should keep `navigator.oscpu` so sites can differentiate 32- and 64-bit OS (e.g. to offer compatible software downloads). That would still allow _active_ fingerprinting, but JavaScript might be able to detect other differences between 32- and 64-bit browsers anyways. We could still remove the platform architecture from the UA string to limit _passive_ fingerprinting by servers. Alternately, we could support platform detection by making `navigator.userAgent` return a UA string _with_ the platform architecture (like today's current UA string) while the User-Agent header sends a UA string _without_ the platform architecture. Then `navigator.oscpu` could return the empty string "" because it wouldn't be needed. I don't know which is approach is uglier. :) Every browser has a UA string, but only Gecko has `navigator.oscpu`. Returning an empty string "" from `navigator.oscpu` (and using different UA strings in the User-Agent header and `navigator.userAgent`) would be a path converging towards to other browsers. Poking around on GitHub, I see quite a few scripts using `navigator.oscpu` as a fallback option for sniffing the platform, but the half-dozen or so scripts I looked at all verified that `navigator.oscpu` was defined before using it. So we might be able to make `navigator.oscpu` return an empty string "" (or just remove it and return `undefined`) without significant breakage. Here is the Chromium issue to consider adding `navigator.oscpu` for Gecko compat: https://bugs.chromium.org/p/chromium/issues/detail?id=602611