[android] RFP userAgent vs Desktop Mode
Categories
(Core :: DOM: Security, enhancement, P5)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox140 | --- | fixed |
People
(Reporter: thorin, Assigned: fkilic)
References
Details
(Whiteboard: [fingerprinting][domsecurity-backlog3])
Attachments
(1 file, 2 obsolete files)
RFP-off-FF91.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Steps to reproduce:
Test: https://arkenfox.github.io/TZP/tzp.html#useragent
Client: Android
pics to follow
STR1
- RFP off (I used FF91)
- load test with desktop mode = off
- everything should match
- flip desktop mode on (page should auto-reload)
- not the issue: workers don't match
- not the issue: the desktop userAgent string does not match the expected format for android (and technically, you are lying), so congrats, you get a pinnochio
STR2:
- RFP on (I used Nightly 93)
- repeat test
- not the issue: with desktop mode off
- everything matches
- the green colored
v91.0are just the test saying that we know you're lying (and are really v93, via feature detection), the hashes are always exactly what the client reported - i.e we bypassed your sneaky lies and recorded the real value in the fingerprint
- with desktop mode on
- most workers don't match (RFP still protects the web worker) which is a little different from when RFP = off
STR3
- Tor Browser
- repeat test
- different to RFP in Firefox: the web worker doesn't match (and service workers are not available)
So the questions are
- do we want to make all methods return the same desktop string when in desktop mode
- is the userAgent for all android users in desktop mode the same? i.e no entropy when used by that set?
- when RFP is on, is this a "leak" that should be patched? Which would make RFP users unable to request desktop mode
- why is TB different to FF re web worker
Also, I am not a very big android user, but how sticky is the desktop mode. I see there is a toggle, but is that global or per site?
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 1•4 years ago
|
||
|
|
Reporter | |
Comment 2•4 years ago
|
||
|
|
Reporter | |
Comment 3•4 years ago
|
||
STR2 ... most workers don't match (RFP still protects the web worker) which is a little different from when RFP = off
Sorry, got that back to front. Just look at the two pictures above, right hand sides. And TB is identical to RFP
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 4•6 months ago
|
||
pinging myself as a reminder to revisit and retest that nothing is leaked when flipping desktop modes - also given some devices are looking at permanent desktop mode (tablets? foldables?)
|
|
Reporter | |
Updated•6 months ago
|
|
|
Reporter | |
Updated•6 months ago
|
|
|
Reporter | |
Updated•6 months ago
|
|
|
Reporter | |
Updated•6 months ago
|
|
|
Reporter | |
Comment 5•6 months ago
|
||
This is about toggling desktop-mode on. Starting in desktop mode clearly adds entropy, but is a different topic for another rainy day.
note
- these values (RFP values shown) do not change, only userAgent and HTTP Header do
- appVersion: 5.0 (Android 10) | oscpu: Linux armv81 | platform: Linux armv81
- header always matches JS userAgent
tests
- userAgent: Mozilla/5.0 (
Android 10; Mobile;rv:136.0) Gecko/136.0 Firefox/136.0 // RFP - userAgent: Mozilla/5.0 (
X11; Linux x86_64;rv:136.0) Gecko/20100101Firefox/136.0 // desktop mode with and without RFP - userAgent: Mozilla/5.0 (
X11; Linux x86_64;rv:136.0) Gecko/20100101Firefox/136.0 // RFP linux
So far so good. desktop mode on android happens to match RFP linux, but that may be sheer luck - I'm only testing a single phone (maybe it has entropy). I think we want to ensure (i.e code with existing RFPTargets) so RFP = enabled, the values for userAgent (both js and header) in desktop mode always return the corresponding RFP values for linux. This way there are no surprises in the future.
ni fkilic, pierov for their thoughts, tjr feel free to pipe up
|
||
Comment 6•6 months ago
|
||
(In reply to Thorin [:thorin] from comment #5)
So far so good. desktop mode on android happens to match RFP linux, but that may be sheer luck
It seems it is...
https://searchfox.org/mozilla-central/rev/206eaea9a2fd4307da16e1614cd934920368165a/mobile/shared/modules/geckoview/GeckoViewSettings.sys.mjs#19-24
nsRFPService::GetSpoofedUserAgent contains some build time checks for Android, which should be converted to runtime checks if we wanted to make sure the code to set a spoofed user agent is in only one place, at least for RFP.
Also, this would need a refactor on the Android side, I don't know how big.
Finally, notice there's also a VR mode, but I don't know if it's used.
However, I don't know if VR can be ever made RFP.
|
|
Reporter | |
Comment 7•6 months ago
|
||
I think VR or XR or whatever it's called these days is abandonware - it's all disabled on all platforms
|
Assignee | |
Comment 8•6 months ago
•
|
||
It seems it is...
https://searchfox.org/mozilla-central/rev/206eaea9a2fd4307da16e1614cd934920368165a/mobile/shared/modules/geckoview/GeckoViewSettings.sys.mjs#19-24
Hmm it seems like it. I have been working on android stuff recently, I'll take a look sometime
and yeah I also agree rfp and desktop mode should match (without any suprises)
|
|
Assignee | |
Comment 9•6 months ago
|
||
|
||
Updated•6 months ago
|
|
||
Comment 10•4 months ago
|
||
|
||
Comment 11•4 months ago
|
||
| bugherder | ||
|
||
Updated•3 months ago
|
Description
•