Freeze (hard code) the Android OS version in Firefox’s UA string at "Android 10". This will match Chrome Android's UA string. As part of Chrome’s UA reduction, Google froze the Android OS version exposed in Chrome’s UA string to "10". Google finished rolling out that change in Chrome 110 in May 2023: https://www.chromium.org/updates/ua-reduction This change will affect the "User-Agent" HTTP header and `navigator.userAgent` Web API in Firefox, Focus, and any third-party apps using GeckoView. This change will be behind a pref so it can be disabled quickly, if needed. ## Goals 1. Reduce fingerprintable entropy passively exposed to the web. 2. Reduce risk of webcompat breakage. Firefox’s UA string currently exposes 14 different Android major and minor versions between Android 5.0 and 14. That’s about ~4 bits of fingerprintable entropy. Freezing the Android version would reduce that to 0 bits. An example of webcompat breakage that could be avoid with a frozen Android version: when Google dropped the ".0" minor version in Android 9’s version, many websites broke because their UA string parsers assumed OS versions always included a "." and minor version, even if only ".0". Even Firefox’s DevTools had a bug parsing the Android 9 version (bug 1743334). An important difference in Chrome’s UA reduction is that Chrome still exposes the actual Android OS version in the UA Client-Hints HTTP headers and `navigator.userAgentData` Web API. So sites that really want to know the user’s Android OS version can add new code to detect it. Sites would not have that option in Firefox unless we implement `navigator.userAgentData` in bug 1750143. Example UA strings: BEFORE: `Mozilla/5.0 (Android 5.0; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0` BEFORE: `Mozilla/5.0 (Android 5.1; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0` BEFORE: `Mozilla/5.0 (Android 14; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0` AFTER: `Mozilla/5.0 (Android 10; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0` ## Risks Some websites might report that Android 10 is out of date, but that risk is low because Chrome also froze its UA string at Android version 10. We can fix such websites using a Firefox’s site interventions to override the UA on those websites. Some websites might attempt to use intent URIs to launch a native app that’s not available on Android < 10. I don’t know of any such examples, but those websites would not have worked on Android < 10 anyway… unless they would have launched a different native app for Android < 10?
Bug 1865766 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Freeze (hard code) the Android OS version in Firefox’s UA string at "Android 10". This will match Chrome Android's UA string. As part of Chrome’s UA reduction, Google froze the Android OS version exposed in Chrome’s UA string to "10". Google finished rolling out that change in Chrome 110 in May 2023: https://www.chromium.org/updates/ua-reduction This change will affect the "User-Agent" HTTP header and `navigator.userAgent` Web API in Firefox, Focus, and any third-party apps using GeckoView. ## Goals 1. Reduce fingerprintable entropy passively exposed to the web. 2. Reduce risk of webcompat breakage. Firefox’s UA string currently exposes 14 different Android major and minor versions between Android 5.0 and 14. That’s about ~4 bits of fingerprintable entropy. Freezing the Android version would reduce that to 0 bits. An example of webcompat breakage that could be avoid with a frozen Android version: when Google dropped the ".0" minor version in Android 9’s version, many websites broke because their UA string parsers assumed OS versions always included a "." and minor version, even if only ".0". Even Firefox’s DevTools had a bug parsing the Android 9 version (bug 1743334). An important difference in Chrome’s UA reduction is that Chrome still exposes the actual Android OS version in the UA Client-Hints HTTP headers and `navigator.userAgentData` Web API. So sites that really want to know the user’s Android OS version can add new code to detect it. Sites would not have that option in Firefox unless we implement `navigator.userAgentData` in bug 1750143. Example UA strings: BEFORE: `Mozilla/5.0 (Android 5.0; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0` BEFORE: `Mozilla/5.0 (Android 5.1; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0` BEFORE: `Mozilla/5.0 (Android 14; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0` AFTER: `Mozilla/5.0 (Android 10; Mobile; rv:123.0) Gecko/123.0 Firefox/123.0` ## Risks Some websites might report that Android 10 is out of date, but that risk is low because Chrome also froze its UA string at Android version 10. We can fix such websites using a Firefox’s site interventions to override the UA on those websites. Some websites might attempt to use intent URIs to launch a native app that’s not available on Android < 10. I don’t know of any such examples, but those websites would not have worked on Android < 10 anyway… unless they would have launched a different native app for Android < 10?