Navigator properties should return same useragent as useragent header when resistFingerprinting is enabled
Categories
(Core :: DOM: Security, defect, P3)
Tracking
()
People
(Reporter: security, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
As the title says: The navigator API should return return same useragent as the useragent request header when resistFingerprinting is enabled.
Following properties are currently not spoofed:
navigator.userAgent
navigator.oscpu
navigator.appVersion
navigator.platform
Actual results:
Currently the values look like this if privacy.resistFingerprinting
is enabled:
(This should be markup tables)
Running Firefox 78 on Ubuntu Linux (20.04):
Header/Property | Value on Ubuntu Linux (20.04) |
---|---|
User-Agent from request header | Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 |
navigator.userAgent |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 |
navigator.oscpu |
Linux x86_64 |
navigator.appVersion |
5.0 (X11) |
navigator.platform |
Linux x86_64 |
Running Firefox 78 on macOS (10.15):
Header/Property | Value on macOS (10.15) |
---|---|
User-Agent from request header | Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 |
navigator.userAgent |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0 |
navigator.oscpu |
Intel Mac OS X 10.15 |
navigator.appVersion |
5.0 (Macintosh) |
navigator.platform |
MacIntel |
Expected results:
The navigator API should return the same useragent as the request header when resistFingerprinting is enabled.
Now, while I understand that you cannot perfectly spoof a browser running on different operating system, I just assumed that resistFingerprinting would do as much as possible to resist browser fingerprinting (e.g. you cannot get information about the graphic card if resistFingerprinting is enabled).
Providing the real useragent (including processor type) via the navigator API is probably not what most people expect.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 1•4 years ago
|
||
See Bug 1650427 for the reasons why passive headers (e.g. Tor Browser on safest) differ from client-side JS (due to breakage): this is by design. There is no extra entropy being exposed here, as all users e.g. on Linux, are the same
NI'ing tom
Comment 2•4 years ago
|
||
Thanks Simon; yes this is intended.
Comment 3•3 years ago
|
||
Should this at least be under an additional option? I don't want these values to be different in by browser.
Description
•