RFP userAgent/header on Android doesn't follow Fenix naming convention
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox88 | --- | fixed |
People
(Reporter: simon.mainey, Assigned: cpeterson)
References
(Blocks 1 open bug)
Details
(Keywords: good-first-bug, Whiteboard: [domsecurity-backlog1])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
RFP doesn't try to hide Android vs other platforms (because compat, and ultimately it's impossible), but since Fenix, the RFP patch no longer matches the string convention for Android
- JS and HTTP-Accept headers are the same
- RFP=false
- Mozilla/5.0 (Android 10; Mobile; rvXX.0) Gecko/
XX.0Firefox/XX.0
- Mozilla/5.0 (Android 10; Mobile; rvXX.0) Gecko/
- RFP=true
- Mozilla/5.0 (Android 9; Mobile; rv78.0) Gecko/
20100101Firefox/78.0
- Mozilla/5.0 (Android 9; Mobile; rv78.0) Gecko/
Fenix replaces the buildID with version (maybe it's time to do that to all builds since GeckoView doesn't seem to have a compat problem)
Actual results:
RFP is not trying to hide, and it's already given away by the fact that it says it's 78 on the tin (correct me if I'm wrong, but there isn't an ESR mobile version, right?), so it's probably a moot point. And user agents will eventually be frozen and then phased out in favor of client hints
I'll leave it up to you guys. Feel free to close as invalid
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Comment 1•3 years ago
|
||
(In reply to Simon Mainey from comment #0)
Fenix replaces the buildID with version (maybe it's time to do that to all builds since GeckoView doesn't seem to have a compat problem)
Correction ... Fenix replaces the buildID productSub ...
|
||
Comment 2•3 years ago
|
||
Worth fixing.
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 3•3 years ago
|
||
Good catch! RFP's UA string code here:
needs to check #ifdef ANDROID and match the productSub code here:
I'll try to fix this bug before the next ESR (91). Mozilla doesn't release ESR versions of Firefox for Android, but the Tor browser is based on ESR and it enables RFP.
|
|
||
Comment 4•3 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #3)
I'll try to fix this bug before the next ESR (91). Mozilla doesn't release ESR versions of Firefox for Android, but the Tor browser is based on ESR and it enables RFP.
Actually, Tor Browser for Android uses the regular release train! Eventually Desktop will too.
|
|
Assignee | |
Comment 5•3 years ago
|
||
This refactoring has no functional change. It will make the change to build the spoofed Android UI string in the next changeset clearer.
|
|
Assignee | |
Comment 6•3 years ago
|
||
Depends on D107347
Pushed by cpeterson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b9c628ba6b0a Refactor GetSpoofedUserAgent to build spoofed UA string in pieces. r=tjr
Pushed by cpeterson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f329ec36e335 Spoofed Android UA string should use spoofed version number, not legacy Gecko trail 20100101. r=tjr
|
||
Comment 9•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b9c628ba6b0a
https://hg.mozilla.org/mozilla-central/rev/f329ec36e335
Description
•