Open Bug 1963012 Opened 7 months ago Updated 7 months ago

webcompat user agent override can reveal platform information

Categories

(Core :: Privacy: Anti-Tracking, defect, P3)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

People

(Reporter: henry-x, Unassigned)

Details

As far as I can tell, most user agent overrides for webcompat seem to use the navigator.userAgent as the basis, so would seem to be protected by the resist fingerprinting user agent override, and won't reveal anything more than a web page script could reveal.

However, as far as I understand, at least one intervention uses more privileged information via the browser API, addSamsungForSamsungDevices, which would reveal the user is using a samsung device via the user agent on the sites where this intervention is enabled (currently galaxy.store). Although I can't confirm this result myself.

I'm not sure about the interaction between webcompat and fingerprinting resistance, since these are only applied to specific sites. I'm also not sure where the fingerprint resistance intervention should come in, or how this should be handled to avoid other webcompat "leaks". E.g. at the addSamsungForSamsungDevices level or within browser.systemManufacturer.

AFAICT, we don't hide the platform for UA spoofing because there are many other ways to detect the platform, and it only causes breakages if we spoof it.

But addSamsungForSamsungDevices is debatable because it reveals details about the platform. I think it depends on how much it would break if we didn't provide the Samsung UA string and whether it's acceptable for RFP users.

Tom, could you share the potential breakages if we don't provide the Samsung UA string?

Severity: -- → S3
Flags: needinfo?(twisniewski)
Priority: -- → P3

We're only using it in one place, in our webcompat intervention for Samsung's Galaxy Store (bug 1598198).

It's only applied on Samsung Android devices, and only when visiting links to their store URLs, so I wouldn't consider it much of a risk. But if we'd prefer the user to get an error page instead of being redirected to their store app, I have no problem at all with disabling the intervention when RFP is on. (Would it be fine to just check that privacy.resistFingerprinting is true in that case?)

Flags: needinfo?(twisniewski)
You need to log in before you can comment on or make changes to this bug.