Open Bug 1671850 Opened 4 years ago Updated 2 years ago

RFP spoof english prompt does not handle all cases

Categories

(Firefox :: Settings UI, defect, P3)

Product:
Firefox
Component:
Settings UI
Version:
Firefox 83
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: simon.mainey, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

issue

In bug 1039069 when RFP is enabled, non english users are prompted if they wish to switch to en-US

The code here only checks for the substring en

This means the prompt and subsequent pref flips (e.g. javascript.use_us_english_locale ) do not happen in the following cases

  • users such as en-CA, en-GB
  • users who change the order of languages (e.g ending up with en,en-US instead of en-US,en: see [2] - I can replicate this)
  • users who add additional languages ordered after en* and exposed e.g. via navigator.languages

[1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40191
[2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/31504

solution

check all languages == "en-US,en" and if not then prompt

Component: Untriaged → Preferences
Version: 78 Branch → Firefox 83
Flags: needinfo?(tom)
Flags: needinfo?(acat)
Blocks: uplift_tor_fingerprinting
Type: enhancement → defect

Hi arthur, can you help us figure out a priority here?

Flags: needinfo?(arthur)
Flags: needinfo?(tom)
Flags: needinfo?(arthur)
Flags: needinfo?(acat)
Priority: -- → P3
Severity: -- → S3

Even worse now: since Bug 1635561 I suspect, where one of the changes was to use RegionalPrefLocales rather than AppLocale

So despite an en-US build (or en-CA build etc) having it's web content using en-US,en - as seen in Options > Language > Choose - all formatting and resolvedOptions etc are using the OS locale. This is because spoof_english never fired for en* builds, and javascript.use_us_english_locale was never changed to true.

I do not know how this will affect TB Fenix right now (my only phone has an en-US os locale so I can't really test), but it's a concern - pinging sysrqb

Flags: needinfo?(sysrqb)
Flags: needinfo?(sysrqb)

Since the only available RFP language protection offered is to use en-US (via javascript.use_us_english_locale), this leaves other primary language users left out. At the very least we could implement RFP to sanitize secondary languages for all users, if RFP is enabled and detects additional ones. Do we have any telemetry on number of languages used?

Also see Bug 1766231 RFPHelper.jsm's privacy.spoof_english preference observer is never removed

If we resolve Bug 1746668 so all locales are covered and resolve Bug 1746815 to tighten returns we can probably do away with spoof_english altogether (which may not be a bad thing given live language switching?) - and IMO we shouldn't be encouraging users from minority languages to change languages as that helps reduce non english users into even smaller buckets

I believe with unified Intl. this is all relatively simple

You need to log in before you can comment on or make changes to this bug.