Closed Bug 1653328 Opened 4 years ago Closed 4 years ago

Navigator properties should return same useragent as useragent header when resistFingerprinting is enabled

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
78 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: security, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

As the title says: The navigator API should return return same useragent as the useragent request header when resistFingerprinting is enabled.

Following properties are currently not spoofed:

  • navigator.userAgent
  • navigator.oscpu
  • navigator.appVersion
  • navigator.platform

Actual results:

Currently the values look like this if privacy.resistFingerprinting is enabled:

(This should be markup tables)

Running Firefox 78 on Ubuntu Linux (20.04):

Header/Property Value on Ubuntu Linux (20.04)
User-Agent from request header Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
navigator.userAgent Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
navigator.oscpu Linux x86_64
navigator.appVersion 5.0 (X11)
navigator.platform Linux x86_64

Running Firefox 78 on macOS (10.15):

Header/Property Value on macOS (10.15)
User-Agent from request header Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
navigator.userAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Firefox/78.0
navigator.oscpu Intel Mac OS X 10.15
navigator.appVersion 5.0 (Macintosh)
navigator.platform MacIntel

Expected results:

The navigator API should return the same useragent as the request header when resistFingerprinting is enabled.

Now, while I understand that you cannot perfectly spoof a browser running on different operating system, I just assumed that resistFingerprinting would do as much as possible to resist browser fingerprinting (e.g. you cannot get information about the graphic card if resistFingerprinting is enabled).
Providing the real useragent (including processor type) via the navigator API is probably not what most people expect.

Component: Untriaged → DOM: Security
Product: Firefox → Core
Blocks: fingerprinting-breakage
Severity: -- → S4
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]

See Bug 1650427 for the reasons why passive headers (e.g. Tor Browser on safest) differ from client-side JS (due to breakage): this is by design. There is no extra entropy being exposed here, as all users e.g. on Linux, are the same

NI'ing tom

Flags: needinfo?(tom)

Thanks Simon; yes this is intended.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(tom)
Resolution: --- → INVALID

Should this at least be under an additional option? I don't want these values to be different in by browser.

You need to log in before you can comment on or make changes to this bug.