1628373 - Lie better about desktop platform when privacy.resistFingerprinting is set to true

Status: RESOLVED INVALID

(Core :: DOM: Security, defect)

Description

[antistress]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Set privacy.resistFingerprinting to true
Go to https://amiunique.org/, https://browserleaks.com/javascript or https://panopticlick.eff.org/

Actual results:

See that platform is leaked, not through User Agent header which says Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0, but through JavaScript attribute apparently, which leaks Linux x86_64

Expected results:

Linux x86_64 desktop platform shouldn't have leaked

NB : this bug would be only for desktop platforms if I read correctly Bug 1404608
Besides, these bugs may be related : Bug 1509829, Bug 1397996 , Bug 1397994 and Bug 1422482.

Thanks

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Comment 2

[Tom Ritter [:tjr]]

This is intentional and done in (I think) Bug 1509829. Lying about the OS in JavaScript breaks Very Important sites like GDocs - the keyboard shortcuts don't work. However lying in the UA header doesn't break much as far as we've seen, so we do that (as it is effective at spoofing in User Agent webserver logs.)

Comment 3

[Thorin [:thorin]]

This is by design: see Bug 1509829

• also see Tor Ticket: https://trac.torproject.org/projects/tor/ticket/28290

Long story short: hopefully when Bug 1519122 is resolved, the navigator properties can be reduced back to two.

However, don't kid yourself: feature detection can "leak" your OS (major, sometimes minor, esp Linux distros) in dozens of ways (not that we shouldn't make it harder for basic UA sniffing)

Comment 4

[antistress]

Thanks both of you Tom Ritter and Simon Mainey for explanations :)