bugzilla.mozilla.org will be intermittently unavailable on Saturday, March 24th, from 16:00 until 20:00 UTC.

Standard header of requests - standard Identifier - Feature request




Networking: HTTP
7 years ago
7 years ago


(Reporter: thewormhole, Unassigned)



Firefox Tracking Flags

(Not tracked)




7 years ago
User-Agent:       Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0
Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0) Gecko/20100101 Firefox/4.0

When you want to get some web page, Firefox says to Apache "Hi I'm Firefox, I'm using these fonts, I have tease codecs, I run on this operating system, and ... , so give me this page /page.html" 
There are a lot of personal/system data which can be used to track down browser/user.
So I suggest option same ID ( same Identifier for all Firefox users). When users would chose this option all that users would have same ID so they can't be tracked (because if 1 million users would use this functionality these all users would be represented/tracked as on user on internet) 

Also why the hell web server have to know which fonts I have and all other stuff. He only must know my IP address so it knows where to sent data and what data I want so it can send correct data. Any thing else is not needed. This would improve security of the web. 

(Also on side note "do not track feature" is pure stupidity, so I wonder are you are making fun of me and yours users? My suggestion offers 100 times more protection that that feature.)

Reproducible: Always


7 years ago
Severity: major → enhancement


7 years ago
Component: General → Networking: HTTP
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → networking.http
Hardware: x86 → All
Version: unspecified → Trunk
> I'm using these fonts


> I have tease codecs


Please do try to inform yourself before filing bugs that call people names, ok?

> I run on this operating system

Yes, though there are proposals to change that.  There are servers that use this information to good effect.

> Also why the hell web server have to know which fonts I have 

It doesn't, and we don't tell it.

> and what data I want

Precisely the issue; often the URI of the page is not enough to determine that...

I'm not going to respond to the parenthetical trolling.

This bug is a duplicate.  Please find the original bug and mark this duplicate.
Whiteboard: DUPEME

Comment 2

7 years ago
@Boris Zbarsky (:bz)
Before you begin spread out false information look at this:
And read reserch abaut Panopticlick

I didnt know that Mozilla comunity is so "frendly".
> http://mybrowserinfo.com/detail.asp?bhcp=1

Lists nothing for "fonts installed" and nothing for "codecs".

It also uses script detection, not HTTP headers.  That is, it's not using information we sent to the web server: it's running script on the _client_ to gather information.  Your bug report was about information sent to the server.  Please please do inform yourself....

I'm well aware of Panopticlick; we've been actively working on reducing the fingerprinting capabilities available to servers, but doing that with client-side scripting is hard (e.g. that can always detect your default font size, because we have to actually lay the page out at that font size!).

As far as friendliness goes, you started with profanity and accusations.... so I'm not sure where you thought that would go.  I'll note that I have avoided profanity in your direction so far, which is a good bit better than what you have done.
There is already a bug filed for the HTTP part. I think there are bugs filed for font enumeration and other issues too. Please search bugzilla and re-file bugs on any specific issues for which you cannot find bugs.
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
Duplicate of bug: 572650

Comment 5

7 years ago
As to the legitimate though misplaced concern about fonts and codecs being detectable by webpages, the hole they get that through is plugins, specifically Flash for fonts and quite a bit of other stuff that it probably shouldn't be exposing. Easily demonstrable by checking Panopticlick [1] with the Flashblock extension [2] installed and enabled. Codecs are probably enumerable via various media player plugins. If you want to see what the browser actually intentionally exposes itself, see the window.navigator object [3].

[1] https://panopticlick.eff.org/
[2] https://addons.mozilla.org/en-US/firefox/addon/flashblock/
[3] https://developer.mozilla.org/en/DOM/window.navigator

In any case, yeah, the rhetoric isn't productive. Though, you're understating the problems with the "do not track" feature, frankly (see bug 630357). If you've got any new and specific requests to help with this known topic of problems, file a new bug blocking bug 572650.

Comment 6

7 years ago
Panopticlick also says the Java plugin can get at the fonts list, apparently. Plugins can do anything they want, which is the real problem here. My advice, turn off every plugin but Flash, and use Flashblock. There's probably a general bug about that issue around here somewhere but I don't know where offhand.
You need to log in before you can comment on or make changes to this bug.