navigator object does not fully reflect user agent settings

RESOLVED FIXED in mozilla1.9beta5

Status

()

Core
DOM
RESOLVED FIXED
10 years ago
9 months ago

People

(Reporter: Mike Perry, Assigned: Gregory Fleischer)

Tracking

({privacy, verified1.8.1.15})

Trunk
mozilla1.9beta5
privacy, verified1.8.1.15
Points:
---
Bug Flags:
blocking1.9 -
wanted1.8.0.x ?

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

The navigator object does not reflect a spoofed user agent for the following properties:

navigator.oscpu
navigator.productSub

Despite providing a spoofed information to the general.useragent.* settings, these properties reveal the original platform and build date.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
Ideally, these properties would obtain their values by parsing the general.useragent.override string, but for many useragents this is not possible. In those cases, either alternate general.useragent.* could be consulted, or these properties would just be undefined.

Comment 1

10 years ago
Why don't you upgrade to 2.0.0.12?
(Reporter)

Comment 2

10 years ago
Heh. Maybe because the useragent was spoofed? :)
Keywords: privacy
(Assignee)

Comment 3

9 years ago
In Firefox 2.0.0.12, the 'productSub' value could be set using the 'general.useragent.productSub' preference.  See http://lxr.mozilla.org/mozilla1.8/source/netwerk/protocol/http/src/nsHttpHandler.cpp#830

This functionality no longer exists in the latest trunk.
(Reporter)

Updated

9 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 4

9 years ago
Bug 350521 describes a similar problem with the 'navigator.buildID' value.

To reproduce issue, either manually modify useragent config pref ("general.useragent.override") or use extension such as User Agent Switcher.  Visiting http://pseudo-flaw.net/s/show-oscpu-productsub-buildid.html will show that the 'oscpu', 'productSub' and 'buildID' are still the original values.
(Assignee)

Comment 5

9 years ago
Created attachment 307168 [details] [diff] [review]
Proposed patch for trunk

Adds new preferences to allow override of 'navigator.oscpu', 'navigator.productSub' and 'navigator.buildID':

 - "general.oscpu.override"
 - "general.productSub.override"
 - "general.buildID.override"

Additionally, for 'navigator.productSub' checks for the undocumented 1.8 branch pref "general.useragent.productSub".
(Assignee)

Updated

9 years ago
Attachment #307168 - Flags: superreview?(jst)
Attachment #307168 - Flags: review?(jst)
(Assignee)

Comment 6

9 years ago
The proposed patch also addresses bug 350521.
Comment on attachment 307168 [details] [diff] [review]
Proposed patch for trunk

+    const nsAdoptingCString& override =
+      nsContentUtils::GetCharPref("general.productSub.override");
+
+    if (override) {
+      CopyUTF8toUTF16(override, aProductSub);
+      return NS_OK;
+    } else {
+      // 'general.useragent.productSub' backwards compatible with 1.8 branch.
+      const nsAdoptingCString& override =
+        nsContentUtils::GetCharPref("general.useragent.productSub");

Might want to rename this override variable to avoid compiler warnings about this one shadowing the above one.

r+sr=jst, thanks for the fix!
Attachment #307168 - Flags: superreview?(jst)
Attachment #307168 - Flags: superreview+
Attachment #307168 - Flags: review?(jst)
Attachment #307168 - Flags: review+
(Assignee)

Comment 8

9 years ago
Created attachment 307368 [details] [diff] [review]
Updated trunk patch removes compiler warning

Updated patch to remove compiler warnings.
Attachment #307168 - Attachment is obsolete: true
(Assignee)

Updated

9 years ago
Attachment #307368 - Flags: review+
(Reporter)

Updated

9 years ago
Keywords: checkin-needed
This isn't a blocker and doesn't have approval.
Component: General → DOM
Keywords: checkin-needed
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → general
Hardware: PC → All
Version: unspecified → Trunk
Assignee: nobody → gfleischer+bugzilla
Status: NEW → ASSIGNED
Flags: blocking1.9?
Attachment #307368 - Flags: approval1.9?
Comment on attachment 307368 [details] [diff] [review]
Updated trunk patch removes compiler warning

a1.9=beltzner
Attachment #307368 - Flags: approval1.9? → approval1.9+
Keywords: checkin-needed
Not a blocker, but this has approval so feel free to land this.
Flags: blocking1.9? → blocking1.9-
Checking in dom/src/base/nsGlobalWindow.cpp;
/cvsroot/mozilla/dom/src/base/nsGlobalWindow.cpp,v  <--  nsGlobalWindow.cpp
new revision: 1.1001; previous revision: 1.1000
done
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9beta5

Updated

9 years ago
Duplicate of this bug: 350521
(Reporter)

Comment 14

9 years ago
Can we get this backported to 1.8?
Flags: wanted1.8.0.x?
(Assignee)

Comment 15

9 years ago
Created attachment 322211 [details] [diff] [review]
Patch for branch

Patch for branch that adds new preferences to allow override of 'navigator.oscpu',
'navigator.productSub' and 'navigator.buildID':

 - "general.oscpu.override"
 - "general.productSub.override"
 - "general.buildID.override"
Attachment #322211 - Flags: superreview?
Attachment #322211 - Flags: review?
Attachment #322211 - Flags: approval1.8.1.15?
(Assignee)

Updated

9 years ago
Attachment #322211 - Flags: superreview?(jst)
Attachment #322211 - Flags: superreview?
Attachment #322211 - Flags: review?(jst)
Attachment #322211 - Flags: review?
Comment on attachment 322211 [details] [diff] [review]
Patch for branch

can't approve until reviewed
Whiteboard: needs r/sr=jst

Updated

9 years ago
Attachment #322211 - Flags: superreview?(jst)
Attachment #322211 - Flags: superreview+
Attachment #322211 - Flags: review?(jst)
Attachment #322211 - Flags: review+
Whiteboard: needs r/sr=jst
Comment on attachment 322211 [details] [diff] [review]
Patch for branch

Approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #322211 - Flags: approval1.8.1.15? → approval1.8.1.15+
Fix landed on the 1.8 branch.
Keywords: fixed1.8.1.15
Verified on Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.15pre) Gecko/2008061004 BonEcho/2.0.0.15pre

I added the user preferences in about:config and when I loaded the site in comment #4 I got the values I had set the prefs to, for example:

User-Agent: Firefox/1.1.1.1
oscpu: Linux
productSub: 20010101
buildID: 2001010101

In Fx20014 the prefs had no effect and you were still getting the actual user agent values.
Keywords: fixed1.8.1.15 → verified1.8.1.15

Comment 20

8 years ago
javascript can use navigator.buildID to find the exact build time to the second. As far as I know it can send it to the webserver. 'general.buildID.override' does not seem to exist in about:config. So this is a unique or virtually unique identifier - a sort of cookie that is shared by all websites. This is a clear privacy issue. Things like that shouldn't be on by default, without anyone being warned. In this case, it can't even be turned off.
You need to log in before you can comment on or make changes to this bug.