Closed Bug 1520419 Opened 5 years ago Closed 5 years ago

Navigator.userAgent doesn't show a patch version of macOS. For example: "(Macintosh; Intel Mac OS X 10.13)". Mac os version: 10.13.6

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
64 Branch
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: luka_jovanovic, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce:

Use navigator.userAgent string, on mac os version 10.13.6.

Actual results:

navigator.userAgent returns "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0"

Expected results:

navigator.userAgent should return "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13.6 ; rv:64.0) Gecko/20100101 Firefox/64.0"

Summary: Navigator.userAgent don't show a patch version of mac os. For example: "(Macintosh; Intel Mac OS X 10.13)". Mac os version: 10.13.6 → Navigator.userAgent doesn't show a patch version of macOS. For example: "(Macintosh; Intel Mac OS X 10.13)". Mac os version: 10.13.6
Blocks: 71569
Component: Untriaged → Networking: HTTP
OS: Unspecified → Mac OS X
Product: Firefox → Core
Hardware: Unspecified → All
Version: 5 Branch → 64 Branch

Valentin, is this an easy fix? maybe good-first-bug?

Flags: needinfo?(valentin.gosu)

(In reply to Dragana Damjanovic [:dragana] from comment #1)

Valentin, is this an easy fix? maybe good-first-bug?

According to https://developer.mozilla.org/en-US/docs/Web/API/NavigatorID/userAgent :

The specification asks browsers to provide as little information via this field as possible.
Never assume that the value of this property will stay the same in future versions of the same browser.
Try not to use it at all, or only for current and past versions of a browser.

It's very easy to implement, technically, but it increases the fingerprinting possibilities, so I would advise against it.
Moreover, it could very well be used by bad servers to target OSX versions with known vulnerabilities. I suggest we WONTFIX it.

Flags: needinfo?(valentin.gosu)

yes you are right.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX

Hi,

Thank you for your feedback. One question, why is there a os version if we can't detect the right one? I assume there is vulnerabilitie with just major i minor numbers.

(In reply to Luka Jovanovic from comment #4)

Hi,

Thank you for your feedback. One question, why is there a os version if we can't detect the right one? I assume there is vulnerabilitie with just major i minor numbers.

The same thing can be used to target users with the vulnerability.

You need to log in before you can comment on or make changes to this bug.