Closed Bug 1409269 Opened 2 years ago Closed Last year

spoofed useragent from privacy.resistfingerprinting conflicts with OS revealed by TCP/IP fingerprinting


(Core :: DOM: Security, defect, P5)






(Reporter: leogecko, Unassigned)



(Whiteboard: [fingerprinting][domsecurity-backlog])

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20100101

Steps to reproduce:

Set "privacy.resistFingerprinting" to true.  Run the IP address leak test at (  Create the hidden preference "general.useragentoverride" by setting it to any useragent other than for a Windows OS version.

Actual results:

The browserleaks test shows that the useragent is "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0", and it shows that the operating system being used is "Linux 3.11 and newer."  The former is spoofed (from privacy.resistfingerprinting), and the OS is what my computer actually is.  The two conflict.  

Expected results:

There should be an override that allows the spoofed useragent to be changed to a useragent that is based on Linux 3.11 and newer.  By restricting the default useragent to Windows, TCP/IP fingerprinting easily reveals the spoofed useragent.  The hidden preference "general.useragentoverride" cannot override it.  Scrubbing TCP/IP fingerprinting isn't a viable option for recent Linux versions, so a plausible useragent spoof is needed.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Component: Networking: HTTP → DOM: Security
See Also: → 1333651
Version: 50 Branch → Trunk
Priority: -- → P5
Whiteboard: [fingerprinting] → [fingerprinting][domsecurity-backlog]
Is this no longer an issue since Bug 1404608 landed? Or did we want to keep it open for consideration for non-Windows/OSX/Android/Linux platforms (we only allow four platform variables)?
Flags: needinfo?(tom)
Closed: Last year
Flags: needinfo?(tom)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.