Open
Bug 1303579
Opened 8 years ago
Updated 2 years ago
Expose navigator.locales and add onlocaleschange event
Categories
(Core :: DOM: Core & HTML, defect, P3)
Core
DOM: Core & HTML
Tracking
()
NEW
People
(Reporter: zbraniecki, Unassigned)
References
(Blocks 1 open bug)
Details
In multiple places[0] we need to generate a list of languages with added extension keys for user-selected settings that affect localization, like: - hour12/hour24 - calendar system - currency - etc. [1] A proposal in ECMA 402 [2] is to add a counterpart to navigator.languages in form of `navigator.locales`. `navigator.locales` would have the same list of language codes but would add extension keys based on user preferences defined in the host environment. For example, if `navigator.languages == ["fr", "en-US"];` and the user defined hour12 parameter in their US, navigator.locales would return `navigator.locales == ["fr-u-hc-h12", "en-US-u-hc-h12"];`. This list can be directly fed into Intl APIs to produce the correct date time format, collation, or number taking into account user defined preferences. `onlocaleschange` would be fired whenever language fallback chain changes, or one of the affected settings changes. [0] bug 1069609 comment 55 [1] Full list available here: http://www.unicode.org/reports/tr35/#Locale_Extension_Key_and_Type_Data [2] https://github.com/tc39/ecma402/issues/68
Reporter | ||
Comment 1•8 years ago
|
||
Initially the API would be chrome-only, but I'd put it on the WHATWG+ECMA402 standardization path and use our internal use as a method to refine the proposal.
Updated•8 years ago
|
Priority: -- → P2
Comment 2•8 years ago
|
||
Has this undergone privacy review? It may not be obvious to users that customizing 12/24 clock and such, especially on the OS level, would make them more fingerprintable on the Web.
Reporter | ||
Comment 3•8 years ago
|
||
There is a conversation about fingerprinting consequences in ECMA402 issue: https://github.com/tc39/ecma402/issues/68 I also emailed :fmarier, :huseby and :tanvi and got a tentative "go ahead". I'll draft more specific proposal for how would it work and NI people to get their approval here as well. To your point: At the same time, the very same users would expect that if they set hour12/hour24 manually overriding their locale default, apps they use will follow. (same goes for date format, timezone etc.) As :littledan quoted: > Believes that, because combatting fingerprinting is difficult, new Web specifications should take reasonable measures to avoid adding unneeded fingerprinting surface area. However, added surface area should not be a primary factor in determining whether to add a new feature.
Comment 4•8 years ago
|
||
(In reply to Zibi Braniecki [:gandalf][:zibi] from comment #3) > There is a conversation about fingerprinting consequences in ECMA402 issue: > https://github.com/tc39/ecma402/issues/68 > > I also emailed :fmarier, :huseby and :tanvi and got a tentative "go ahead". > > I'll draft more specific proposal for how would it work and NI people to get > their approval here as well. > > To your point: > > At the same time, the very same users would expect that if they set > hour12/hour24 manually overriding their locale default, apps they use will > follow. (same goes for date format, timezone etc.) > > As :littledan quoted: > > > Believes that, because combatting fingerprinting is difficult, new Web specifications should take reasonable measures to avoid adding unneeded fingerprinting surface area. However, added surface area should not be a primary factor in determining whether to add a new feature. I would like to suggest that this feature be disabled or otherwise sanitized for privacy when the "privacy.resistFingerprinting" pref is set to true. Examples of other such sanitized features are here: https://dxr.mozilla.org/mozilla-central/search?q=nsContentUtils%3A%3AShouldResistFingerprinting&redirect=false
Reporter | ||
Comment 5•8 years ago
|
||
> I would like to suggest that this feature be disabled or otherwise sanitized for privacy when the "privacy.resistFingerprinting" pref is set to true
Sounds perfectly reasonable.
My idea was to also add a separate flag that can be turned off. Maybe even preferences option like "Expose system preferences to web authors".
If the preference/flag is set to "true" (default), we will expose hour12, custom date format, calendar selection etc. If the flag is set to false, we would only expose it in chrome content, and hide in web content.
What I like about this approach is that the way we're designing the API makes it indistinguishable between "user did not set a preference" and "browser did not expose the preference".
Comment 6•8 years ago
|
||
(In reply to Zibi Braniecki [:gandalf][:zibi] from comment #5) > > I would like to suggest that this feature be disabled or otherwise sanitized for privacy when the "privacy.resistFingerprinting" pref is set to true > > Sounds perfectly reasonable. > > My idea was to also add a separate flag that can be turned off. Maybe even > preferences option like "Expose system preferences to web authors". I think that matches the intention of "privacy.resistFingerprinting", which is "When true, don't expose system attributes to content." Of course it's fine (and better) to continue exposing such APIs to chrome.
Reporter | ||
Comment 7•8 years ago
|
||
Oh, cool! I expected "resistFingerprinting" to be broader than user preferences, but maybe we just don't need a more specific pref and we can use this one. The more I think about it the more I like the idea of adding a preference checkbox for this pref. :)
Comment 8•8 years ago
|
||
(In reply to Zibi Braniecki [:gandalf][:zibi] from comment #7) > Oh, cool! > > I expected "resistFingerprinting" to be broader than user preferences, but > maybe we just don't need a more specific pref and we can use this one. > > The more I think about it the more I like the idea of adding a preference > checkbox for this pref. :) I do too! I've just written a patch to add one in Tor Browser (in about:preferences#privacy), so maybe it can be uplifted to Firefox.
Reporter | ||
Comment 9•8 years ago
|
||
Please, file a bug and attach the patch and let's get UX people on it.
Comment 10•8 years ago
|
||
(In reply to Zibi Braniecki [:gandalf][:zibi] from comment #9) > Please, file a bug and attach the patch and let's get UX people on it. Here it is: bug 1308340.
Updated•7 years ago
|
Priority: P2 → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•