Open Bug 1840385 Opened 10 months ago Updated 9 months ago

kasada.io anti-bot protected sites (eg nike.com, twitch.tv) fail login with RFP due to UA missing <oscpu> token or reporting different OS

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
Firefox 116
Platform:
Unspecified
All
Type:
defect

Tracking

()

People

(Reporter: ke5trel, Unassigned)

References

(Blocks 1 open bug)

Details

STR:

  1. Enable privacy.resistFingerprinting on latest Nightly 116.0a1 on Windows and Linux.
  2. Visit nike.com and try to login.

Fails with message:

We are unable to connect to our servers right now. Please try again later.

GENERIC "0 - POST request to https://unite.nike.com/login blocked"

Login fails due to the RFPTarget HTTPUserAgent.

On Windows, the <oscpu> token (eg Win64; x64;) missing from the Header/Navigator UA prevents login. It is present in the Navigator with the +NavigatorUserAgent RFPTarget.

On Linux, the UA reporting as Windows prevents login, even with <oscpu> token (Win64; x64;). The OS is accurate in the Navigator with the +NavigatorUserAgent RFPTarget. Linux is easily detected by the TCP/IP fingerprint (https://browserleaks.com/ip).

twitch.tv is more forgiving, the Header does not need to be accurate but the Navigator does.

Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.