1409269 - spoofed useragent from privacy.resistfingerprinting conflicts with OS revealed by TCP/IP fingerprinting

Status: RESOLVED FIXED

(Core :: DOM: Security, defect, P5)

Description

[leogecko]

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20100101

Steps to reproduce:

Set "privacy.resistFingerprinting" to true.  Run the IP address leak test at Browserleaks.com (https://browserleaks.com/ip).  Create the hidden preference "general.useragentoverride" by setting it to any useragent other than for a Windows OS version.


Actual results:

The browserleaks test shows that the useragent is "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0", and it shows that the operating system being used is "Linux 3.11 and newer."  The former is spoofed (from privacy.resistfingerprinting), and the OS is what my computer actually is.  The two conflict.  


Expected results:

There should be an override that allows the spoofed useragent to be changed to a useragent that is based on Linux 3.11 and newer.  By restricting the default useragent to Windows, TCP/IP fingerprinting easily reveals the spoofed useragent.  The hidden preference "general.useragentoverride" cannot override it.  Scrubbing TCP/IP fingerprinting isn't a viable option for recent Linux versions, so a plausible useragent spoof is needed.

Comment 1

[Thorin [:thorin]]

Is this no longer an issue since Bug 1404608 landed? Or did we want to keep it open for consideration for non-Windows/OSX/Android/Linux platforms (we only allow four platform variables)?