1840385 - kasada.io anti-bot protected sites (eg nike.com, twitch.tv) fail login with RFP due to UA missing <oscpu> token or reporting different OS

Status: RESOLVED FIXED

(Core :: Privacy: Anti-Tracking, defect, P3)

Description

[Kestrel]

STR:

1. Enable privacy.resistFingerprinting on latest Nightly 116.0a1 on Windows and Linux.
2. Visit nike.com and try to login.

Fails with message:

We are unable to connect to our servers right now. Please try again later.

GENERIC "0 - POST request to https://unite.nike.com/login blocked"

Login fails due to the RFPTarget HTTPUserAgent.

On Windows, the <oscpu> token (eg Win64; x64;) missing from the Header/Navigator UA prevents login. It is present in the Navigator with the +NavigatorUserAgent RFPTarget.

On Linux, the UA reporting as Windows prevents login, even with <oscpu> token (Win64; x64;). The OS is accurate in the Navigator with the +NavigatorUserAgent RFPTarget. Linux is easily detected by the TCP/IP fingerprint (https://browserleaks.com/ip).

twitch.tv is more forgiving, the Header does not need to be accurate but the Navigator does.

Comment 1

[Thorin [:thorin]]

windows mismatched header was fixed in Bug 1918009

Comment 2

[Thorin [:thorin]]

cc pierov, we can use this issue

So downstream we have removed spoofing the OS part of the userAgent in headers, and would like to make upstream/downstream match. Note, we do still protect the userAgent, so RFPTargets remain, we're just not going to spoof linux or mac as windows anymore

Comment 3

[Pier Angelo Vendrame]

Attachment: Bug 1840385 - Do not spoof the OS in HTTP User Agent. r?tjr

Comment 4

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ea81d5db4b73
Do not spoof the OS in HTTP User Agent. r=tjr

Comment 5

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/ea81d5db4b73