[Privacy] Extraneous entropy (Android OS version) revealed by JavaScript "navigator.appVersion"
Categories
(Fenix :: Privacy, enhancement)
Tracking
(firefox123 wontfix, firefox124 wontfix)
People
(Reporter: masterquestionable, Unassigned)
Details
E.g. on [ https://browserleaks.com/javascript ].
Reporting also the Android version?..
|
Reporter | |
Comment 1•10 months ago
|
||
As workaround: "about:config" string "general.appversion.override".
See also:
https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/nsRFPService.h
https://searchfox.org/mozilla-central/search?regexp=true&q=general%5C.%5Cw%2B%5C.override
|
|
Reporter | |
Comment 2•10 months ago
|
||
Regarding this aspect, I've additionally changed my User-Agent to "(Linux; rv:999) Firefox 999". (via "general.useragent.override")
And:
|*| network.http.accept: text/html,*/*
|*| image.http.accept: */*
Able to pass [ https://www.google.com/recaptcha/api2/demo ] etc. .
And yet noticed no problem.
For interested, please report at [ https://github.com/MasterInQuestion/talk/discussions/10 ] for related problems.
Thanks.
|
|
Reporter | |
Comment 3•10 months ago
|
||
Below 4 can all be set to empty string:
|*| general.appversion.override
|*| general.buildID.override
|*| general.oscpu.override
|*| general.platform.override
(without causing major breakage)
|
||
Comment 4•10 months ago
|
||
It's not clear that hiding the Firefox major version is worthwhile at least on the JavaScript side. One one hand, there are occasionally bugs that sites want to work around, and the clearest way to figure out if the workaround is needed is to look at the major version. If these use cases are pushed to inference from the overall available API surface, future changes to the overall available API surface may cause hard-to-understand site breakage.
On the other hand, for fingerprinting purposes, enumerating the availability of various APIs is likely to bucket Firefox version pretty close to major versions. (We don't add APIs in each release, but overall available API surface still changes rather often.)
On the HTTP side, chances are that hiding the major version would limit passive fingerprintability via mere image requests and such.
|
|
Reporter | |
Comment 5•10 months ago
|
||
For the very cause:
Most sites officially support only the latest browsers whatsoever...
My principle is: keeping only what's just minimum necessary.
|
||
Comment 6•9 months ago
|
||
Unlike Chrome's and Safari's navigator.appVersion, all that Firefox's navigator.appVersion returns is short string revealing the platform like 5.0 (Macintosh) or 5.0 (Android 10). The "5.0" refers to the "Mozilla/5.0" prefix used in all browsers' User-Agent strings.
I don't think we should remove anything from navigator.appVersion at this time. We know there exist webcompat bugs caused by navigator.appVersion (like bug 1865766) and it doesn't hide the platform because there are other ways that JavaScript can deduce the platform (such as font names or metrics), even if navigator.appVersion and navigator.userAgent don't report it.
|
|
Reporter | |
Comment 7•9 months ago
|
||
For this specific issue ("navigator.appVersion" leaks Android version): it's actually "FIXED".
As the Android version exposed would be no more meaningful. (though still leaks "Android")
Such webcompat bugs are not browser issue but their broken implementation.
And for this specific case: generally minor and doesn't outweigh the benefits.
Each such reduction makes tracking harder.
For complete defense, I'm devising [ https://bugzilla.mozilla.org/show_bug.cgi?id=1870172 ].
|
|
||
Comment 8•9 months ago
|
||
(In reply to Master ? [:masterquestionable] from comment #7)
For this specific issue ("navigator.appVersion" leaks Android version): it's actually "FIXED".
As the Android version exposed would be no more meaningful. (though still leaks "Android")
Thanks for the clarification. In that case, I'll move this bug back to Fenix's Bugzilla component and marked it fixed by bug 1865766.
|
||
Comment 9•7 months ago
|
||
It looks like the changes that fixed this were backed out in bug 1876742.
Description
•