Closed Bug 2034364 Opened 1 month ago Closed 29 days ago

Intl.Collator leaks locale settings even with resistFingerprinting

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: tschuster, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

creepjs.png
8.06 KB, image/png
Details

Someone showed me that on his computer, his locale leaked when looking at https://abrahamjuliot.github.io/creepjs/ even with privacy.resistFingerprinting turned on. This seems to be caused by the Intl.Collator API.

He said this doesn't happen in Tor browser at least. I haven't really been able to test this my self.

Blocks: uplift_tor_fingerprinting
Flags: needinfo?(tom)

RFP only alters locale when spoof_english is used. TB locks locale to match language. AFAICT all the Intl constructors behave as expected - https://arkenfox.github.io/TZP/tzp.html#region - e.g. resolvedOptions - and that this is what is used everywhere

Can this someone explain what it is exactly that they think is leaking and how?

edit: note the [intl] locale and [tolocalestring] locale tests are extracting max uniqueness [1], and are each run twice (with locale as undefined and as the user's locale) and compared - and the intl test is compared to the tolocalestring = everything is deterministic and matches (green stuff - see Tor Browser or use en-US in FF)

[1] from a ton of tests perfected in https://arkenfox.github.io/TZP/index.html#region - such as https://arkenfox.github.io/TZP/tests/collation.html

Attached image creepjs.png

Creepjs checks some resolvedOptions().locale in some Intl constructors (and does a few minor tests which can expose locale).

This is not a leak because RFP in Firefox and in Tor Browser does not protect locale, unless the user opts into spoof_english. Note: spoof_english only prompts if locale is not en* - so en-NZ, en-CA, en-GB etc users are never prompted. I opened Bug 1671850 some time ago. When spoof_english is enabled, it works just fine (as far as Intl/locales goes)

In Tor Browser we removed the UI for languages settings and added listeners, and set the locale to match the language (spoof_english being an exception) etc -> see https://bugzilla.mozilla.org/show_bug.cgi?id=1746668#c33

FWIW: zibi's comment on how locale is/was decided is here -> https://bugzilla.mozilla.org/show_bug.cgi?id=1739712#c5

We have a number of bugs open to address RFP covering locales. If OP isn't using spoof_english then there is no bug and this can be closed

Yeah, quite possible that they didn't use spoof_english, I actually don't know.

Status: NEW → RESOLVED
Closed: 29 days ago
Resolution: --- → INVALID
Group: mozilla-employee-confidential
Flags: needinfo?(tom)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: