navigator.oscpu returns "Linux x86_64" even if privacy.resistFingerprinting is enabled
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: harshtheking, Unassigned)
References
Details
(Keywords: csectype-disclosure, privacy, Whiteboard: [fingerprinting])
Attachments
(1 file)
95.93 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Steps to reproduce:
Go to about config
enable privacy.resistFingerprinting
open any page
open console
evaluate navigator.oscpu
Actual results:
It outputs: "Linux x86_64"
Expected results:
It should output: "Windows NT x.y; Win64; x64"
Comment 1•3 years ago
|
||
Could be the console runs at the wrong privilege level to get the spoofing? Or maybe it's just broken. We're supposed to have tests for this so it would be interesting to figure out how this slipped through if it's broken.
This isn't a vulnerability that needs to be hidden -- if it's broken it's better if people know so they can protect themselves
Comment 2•3 years ago
|
||
One test that looks like it should check for this is browser/components/resistfingerprinting/test/browser/browser_navigator.js
Comment 3•3 years ago
|
||
(In reply to SoulHarsh007 from comment #0)
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
...
Actual results:It outputs: "Linux x86_64"
If you are running Firefox on Linux, then this is by design. resistFingerprinting spoofs a Windows 10 User-Agent
HTTP header for all desktop platforms:
But was changed in bug 1404608 to report the actual OS in APIs like navigator.oscpu
and navigator.userAgent
:
This change was made to fix webcompat issues where some websites broke because they were listening for the wrong key codes (e.g. Google Docs bug 1405810). Once a website is able to run JavaScript, it can detect your actual OS pretty easily by analyzing installed fonts/etc, so there is little protection from spoofing the OS in navigator APIs.
You can override your navigator.userAgent
value with the about:config pref general.useragent.override
, though that will not override navigator.oscpu
.
Reporter | ||
Comment 4•3 years ago
|
||
Test Data
Script used
Image not visible? Link: https://cdn.glitch.com/75f64326-c364-43b3-ac03-ce5c2164807c%2FScript.png?v=1622698185700
Request Info LocalHost
Image not visible? Link: https://cdn.glitch.com/75f64326-c364-43b3-ac03-ce5c2164807c%2FRequestInfo-LocalHost.png?v=1622698198200
Logs LocalHost
Image not visible? Link: https://cdn.glitch.com/75f64326-c364-43b3-ac03-ce5c2164807c%2FLogs-LocalHost.png?v=1622698202000
Request Info Glitch Host
project url: https://rain-airy-mallet.glitch.me/
project source code url: https://glitch.com/edit/#!/rain-airy-mallet
Image not visible? Link: https://cdn.glitch.com/75f64326-c364-43b3-ac03-ce5c2164807c%2FRequestInfo-ServerSide.png?v=1622698195300
Logs Glitch Host
project url: https://rain-airy-mallet.glitch.me/
project source code url: https://glitch.com/edit/#!/rain-airy-mallet
Image not visible? Link: https://cdn.glitch.com/75f64326-c364-43b3-ac03-ce5c2164807c%2FLogs-Server-Side.png?v=1622698209300
Updated•3 years ago
|
Updated•3 years ago
|
Description
•