Consider removing or standardizing navigator.oscpu
Categories
(Core :: DOM: Core & HTML, defect, P5)
Tracking
()
People
(Reporter: foolip, Unassigned)
References
Details
Reporter | ||
Comment 1•11 years ago
|
||
Comment 2•11 years ago
|
||
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
![]() |
||
Comment 5•11 years ago
|
||
Reporter | ||
Comment 6•11 years ago
|
||
![]() |
||
Comment 7•11 years ago
|
||
Updated•7 years ago
|
Updated•7 years ago
|
Assignee | ||
Updated•6 years ago
|
This is specced for some time now as Gecko navigator compatibility mode
https://html.spec.whatwg.org/multipage/system-state.html#client-identification
So can we close this bug as FIXED?
Comment 10•6 years ago
|
||
Do we want to continue shipping it as-is, or return the empty string to help with fingerprinting? Also, are we satisfied being the only browser using this compatibility mode, or should we try to align with the others?
Comment 11•6 years ago
|
||
if the proposal "Remove browser and OS architecture from Firefox's User-Agent string?"
https://groups.google.com/forum/m/#!topic/mozilla.dev.platform/vEMIqgnMxRw
was done, at least the same removal had to be done in navigator.oscpu
for fingerprinting reasons.
Comment 12•6 years ago
•
|
||
(In reply to j.j. from comment #11)
if the proposal "Remove browser and OS architecture from Firefox's User-Agent string?"
https://groups.google.com/forum/m/#!topic/mozilla.dev.platform/vEMIqgnMxRwwas done, at least the same removal had to be done in
navigator.oscpu
for fingerprinting reasons.
In that thread, dbaron asked if we should keep navigator.oscpu
so sites can differentiate 32- and 64-bit OS (e.g. to offer compatible software downloads). That would still allow active fingerprinting, but JavaScript might be able to detect other differences between 32- and 64-bit browsers anyways. We could still remove the platform architecture from the UA string to limit passive fingerprinting by servers.
Alternately, we could support platform detection by making navigator.userAgent
return a UA string with the platform architecture (like today's current UA string) while the User-Agent header sends a UA string without the platform architecture. Then navigator.oscpu
could return the empty string "" because it wouldn't be needed.
I don't know which is approach is uglier. :) Every browser has a UA string, but only Gecko has navigator.oscpu
. Returning an empty string "" from navigator.oscpu
(and using different UA strings in the User-Agent header and navigator.userAgent
) would be a path converging towards to other browsers.
Poking around on GitHub, I see quite a few scripts using navigator.oscpu
as a fallback option for sniffing the platform, but the half-dozen or so scripts I looked at all verified that navigator.oscpu
was defined before using it. So we might be able to make navigator.oscpu
return an empty string "" (or just remove it and return undefined
) without significant breakage.
Here is the Chromium issue to consider adding navigator.oscpu
for Gecko compat:
https://bugs.chromium.org/p/chromium/issues/detail?id=602611
Updated•3 years ago
|
Description
•