public user agent sniffing disclosure on bugzilla

RESOLVED DUPLICATE of bug 1222705

Status

()

bugzilla.mozilla.org
Extensions: GuidedBugEntry
P2
normal
RESOLVED DUPLICATE of bug 1222705
2 years ago
a year ago

People

(Reporter: ffux, Unassigned)

Tracking

Production

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160503092831

Steps to reproduce:

submit a bugr eport via bugzilla

review newly created bug report




Actual results:

The top two lines of a newly created bug report shows posters user-agent info sniffed from browser ( apparently ). 


Expected results:

Don't disclose possible identifying information without asking. 

If you are going to sniff and include this information is public space like bugzilla AT LEAST show what you have sniffed and include it in the "Enter a bug" page so that it is clear to the user that this is being done and the user has the option to remove it or not submit if they so wish. 

I can see this may be useful for a FFx bug report but it should at least be copied to a visible FORM element not done on the sly. 

In the case of a bug report of Thunderbird, for example, it has not place being there at all.
User Agent:	Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0

I have tested this issue on Windows 10 x64 with the latest Firefox release (47.0) and the latest Nightly (50.0a1-20160609130607) and could not reproduce it. When I've submitted a bug report to Bugzilla, in which I've wrote "test" in the description, and after I've submitted the bug, only that string appeared in the bug.

Could you attach a screen-recording of you submitting a bug report to Bugzilla?
Flags: needinfo?(ffux)
(Reporter)

Comment 2

2 years ago
So where did the first two lines of #0 come from ?!

I sure did not type or paste that in. 

you will see the same thing got inserted at the top of the other bug I submitted. 
https://bugzilla.mozilla.org/show_bug.cgi?id=1278601

Note that this would seem to be an issue with bugzilla playing at browser sniffing AND THEN SNEAKELY ADDING identifying information to the bug report,  rather than firefox returning a user-agent string, which is normal http protocol.
Can you please attach a screen-recording of you submitting a bug report to Bugzilla?
Flags: needinfo?(ffux)
Flags: needinfo?(ffux)
(Reporter)

Comment 4

a year ago
(In reply to Emil Pasca from comment #3)
> Can you please attach a screen-recording of you submitting a bug report to
> Bugzilla?

No, I can't.  I do not have the software to do that, nor the time to learn. 

I have just created a new bug as a test with the description of the route I took in doing so. 

The result also sniffs and publishes by user-agent into.

id=1282739
it depends on the form used to file the bug.
if you use guided form (which has separated fields for "What did you do?", "What happened?", "What should have happened?"), it has hidden field to store User-Agent and Build ID.

https://bugzilla.mozilla.org/enter_bug.cgi?format=guided#h=bugForm%7CFirefox
Component: Untriaged → Extensions: GuidedBugEntry
Product: Firefox → bugzilla.mozilla.org
Version: 46 Branch → Production
See Also: → bug 1282739
(Reporter)

Comment 6

a year ago
(In reply to Tooru Fujisawa [:arai] from comment #5)
> it depends on the form used to file the bug.
> if you use guided form (which has separated fields for "What did you do?",
> "What happened?", "What should have happened?"), it has hidden field to
> store User-Agent and Build ID.
> 
> https://bugzilla.mozilla.org/enter_bug.cgi?format=guided#h=bugForm%7CFirefox

Thank you very much Tooru, then we are agreed. There is a sneaky, non visible field, which is filled by sniffing my browser but not shown to the person filing the bug so that they are a) AWARE that they are being sniffed and b) that they then have a CHOICE of supplying this information or not. 

For a Firefox bug it may potentially be useful so should be shown as an EDITABLE VISIBLE field the user can then chose to leave as bug information; delete for privacy or simply decline to submit the bug report. 

For non Firefox bugs it is entirely irrelevant and should not even be present at all. 

Browser sniffing to that level of detail ( OS, platform and even build number ) is identifying information. It has not place being surreptitiously sniffed and publicly displayed. 

Please confirm and fix this bug ASAP. 

Thanks.
Duplicate of this bug: 1282739
(Reporter)

Comment 8

a year ago
Can this now be considered confirmed and the NEEDSINFO flag remvoed? That will stop any likelihood of it getting fixed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(ffux) → needinfo?(dylan)
We are going to be reworking the bug entry forms probably in Q4. For the time being we could mention on the guided form that the user agent information will be submitted (opting out of that is trickier).
Flags: needinfo?(dylan)
Priority: -- → P2
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1222705
You need to log in before you can comment on or make changes to this bug.