417994 - navigator object does not fully reflect user agent settings

Status: RESOLVED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Mike Perry]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

The navigator object does not reflect a spoofed user agent for the following properties:

navigator.oscpu
navigator.productSub

Despite providing a spoofed information to the general.useragent.* settings, these properties reveal the original platform and build date.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
Ideally, these properties would obtain their values by parsing the general.useragent.override string, but for many useragents this is not possible. In those cases, either alternate general.useragent.* could be consulted, or these properties would just be undefined.

Comment 1

[Aakash Patel]

Why don't you upgrade to 2.0.0.12?

Comment 2

[Mike Perry]

Heh. Maybe because the useragent was spoofed? :)

Comment 3

[Gregory Fleischer]

In Firefox 2.0.0.12, the 'productSub' value could be set using the 'general.useragent.productSub' preference.  See http://lxr.mozilla.org/mozilla1.8/source/netwerk/protocol/http/src/nsHttpHandler.cpp#830

This functionality no longer exists in the latest trunk.

Comment 4

[Gregory Fleischer]

Bug 350521 describes a similar problem with the 'navigator.buildID' value.

To reproduce issue, either manually modify useragent config pref ("general.useragent.override") or use extension such as User Agent Switcher.  Visiting http://pseudo-flaw.net/s/show-oscpu-productsub-buildid.html will show that the 'oscpu', 'productSub' and 'buildID' are still the original values.

Comment 5

[Gregory Fleischer]

Attachment: Proposed patch for trunk

Adds new preferences to allow override of 'navigator.oscpu', 'navigator.productSub' and 'navigator.buildID':

 - "general.oscpu.override"
 - "general.productSub.override"
 - "general.buildID.override"

Additionally, for 'navigator.productSub' checks for the undocumented 1.8 branch pref "general.useragent.productSub".

Comment 6

[Gregory Fleischer]

The proposed patch also addresses bug 350521.

Comment 7

[Johnny Stenback (:jst)]

Comment on attachment 307168 [details] [diff] [review]
Proposed patch for trunk

+    const nsAdoptingCString& override =
+      nsContentUtils::GetCharPref("general.productSub.override");
+
+    if (override) {
+      CopyUTF8toUTF16(override, aProductSub);
+      return NS_OK;
+    } else {
+      // 'general.useragent.productSub' backwards compatible with 1.8 branch.
+      const nsAdoptingCString& override =
+        nsContentUtils::GetCharPref("general.useragent.productSub");

Might want to rename this override variable to avoid compiler warnings about this one shadowing the above one.

r+sr=jst, thanks for the fix!

Comment 8

[Gregory Fleischer]

Attachment: Updated trunk patch removes compiler warning

Updated patch to remove compiler warnings.

Comment 9

[Reed Loden [:reed]]

This isn't a blocker and doesn't have approval.

Comment 10

[Mike Beltzner [:beltzner, not reading bugmail]]

Comment on attachment 307368 [details] [diff] [review]
Updated trunk patch removes compiler warning

a1.9=beltzner

Comment 11

[Johnny Stenback (:jst)]

Not a blocker, but this has approval so feel free to land this.

Comment 12

[Reed Loden [:reed]]

Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v  <--  nsGlobalWindow.cpp
new revision: 1.1001; previous revision: 1.1000
done

Comment 14

[Mike Perry]

Can we get this backported to 1.8?

Comment 15

[Gregory Fleischer]

Attachment: Patch for branch

Patch for branch that adds new preferences to allow override of 'navigator.oscpu',
'navigator.productSub' and 'navigator.buildID':

 - "general.oscpu.override"
 - "general.productSub.override"
 - "general.buildID.override"

Comment 16

[Daniel Veditz [:dveditz]]

Comment on attachment 322211 [details] [diff] [review]
Patch for branch

can't approve until reviewed

Comment 17

[Daniel Veditz [:dveditz]]

Comment on attachment 322211 [details] [diff] [review]
Patch for branch

Approved for 1.8.1.15, a=dveditz for release-drivers

Comment 18

[Johnny Stenback (:jst)]

Fix landed on the 1.8 branch.

Comment 19

[juan becerra [:juanb]]

Verified on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/2008061004 BonEcho/2.0.0.15pre

I added the user preferences in about:config and when I loaded the site in comment #4 I got the values I had set the prefs to, for example:

User-Agent: Firefox/1.1.1.1
oscpu: Linux
productSub: 20010101
buildID: 2001010101

In Fx20014 the prefs had no effect and you were still getting the actual user agent values.

Comment 20

[peter_jonson]

javascript can use navigator.buildID to find the exact build time to the second. As far as I know it can send it to the webserver. 'general.buildID.override' does not seem to exist in about:config. So this is a unique or virtually unique identifier - a sort of cookie that is shared by all websites. This is a clear privacy issue. Things like that shouldn't be on by default, without anyone being warned. In this case, it can't even be turned off.