1680365 - RFP userAgent/header on Android doesn't follow Fenix naming convention

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement, P3)

Description

[Thorin [:thorin]]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

RFP doesn't try to hide Android vs other platforms (because compat, and ultimately it's impossible), but since Fenix, the RFP patch no longer matches the string convention for Android

• JS and HTTP-Accept headers are the same
• RFP=false
  • Mozilla/5.0 (Android 10; Mobile; rvXX.0) Gecko/XX.0 Firefox/XX.0
• RFP=true
  • Mozilla/5.0 (Android 9; Mobile; rv78.0) Gecko/20100101 Firefox/78.0

Fenix replaces the buildID with version (maybe it's time to do that to all builds since GeckoView doesn't seem to have a compat problem)

Actual results:

RFP is not trying to hide, and it's already given away by the fact that it says it's 78 on the tin (correct me if I'm wrong, but there isn't an ESR mobile version, right?), so it's probably a moot point. And user agents will eventually be frozen and then phased out in favor of client hints

I'll leave it up to you guys. Feel free to close as invalid

Comment 1

[Thorin [:thorin]]

(In reply to Simon Mainey from comment #0)

Fenix replaces the buildID with version (maybe it's time to do that to all builds since GeckoView doesn't seem to have a compat problem)

Correction ... Fenix replaces the buildID productSub ...

Comment 2

[Tom Ritter [:tjr]]

Worth fixing.

Comment 3

[Chris Peterson [:cpeterson]]

Good catch! RFP's UA string code here:

https://searchfox.org/mozilla-central/rev/a6db3bd67367aa9ddd9505690cab09b47e65a762/toolkit/components/resistfingerprinting/nsRFPService.cpp#612-614

needs to check #ifdef ANDROID and match the productSub code here:

https://searchfox.org/mozilla-central/rev/a6db3bd67367aa9ddd9505690cab09b47e65a762/netwerk/protocol/http/nsHttpHandler.cpp#457-461

I'll try to fix this bug before the next ESR (91). Mozilla doesn't release ESR versions of Firefox for Android, but the Tor browser is based on ESR and it enables RFP.

Comment 4

[Tom Ritter [:tjr]]

(In reply to Chris Peterson [:cpeterson] from comment #3)

I'll try to fix this bug before the next ESR (91). Mozilla doesn't release ESR versions of Firefox for Android, but the Tor browser is based on ESR and it enables RFP.

Actually, Tor Browser for Android uses the regular release train! Eventually Desktop will too.

Comment 5

[Chris Peterson [:cpeterson]]

Attachment: Bug 1680365 - Refactor GetSpoofedUserAgent to build spoofed UA string in pieces. r?tjr

This refactoring has no functional change. It will make the change to build the spoofed Android UI string in the next changeset clearer.

Comment 6

[Chris Peterson [:cpeterson]]

Attachment: Bug 1680365 - Spoofed Android UA string should use spoofed version number, not legacy Gecko trail 20100101. r?tjr

Depends on D107347

Comment 7

[Pulsebot]

Pushed by cpeterson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b9c628ba6b0a
Refactor GetSpoofedUserAgent to build spoofed UA string in pieces. r=tjr

Comment 8

[Pulsebot]

Pushed by cpeterson@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f329ec36e335
Spoofed Android UA string should use spoofed version number, not legacy Gecko trail 20100101. r=tjr

Comment 9

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/b9c628ba6b0a
https://hg.mozilla.org/mozilla-central/rev/f329ec36e335