FF is leaking my User Agent with privacy.resistFingerprinting=true
I have privacy.resistFingerprinting set to true, and the HTTP_USERAGENT field comes out as fingerprint resistant, but the javascript object "window.navigator" still leaks the non-resistant UA. Simple demo code is listed below.
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>Leaked User Agent</title> <script> alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : ""); </script> </head> <body> </body> </html>
Modified
All Replies (15)
This code doesn't show any issue for me. I have Firefox/80 and in privacy mode it gives me Firefox/78, so everything's OK.
With privacy.resistFingerprinting = true you should get a Firefox ESR user agent (68 in the current release, but this will soon change to 78).
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Something tells me this is NOT a resistant UA
Is there anyway to fix this problem?
I'm not sure what is wrong.
Firefox 78 is a turn point because 78 is the next ESR build (current is 68 ESR) and this 78 ESR build is chosen in Firefox 78 for the "Resist Fingerprinting" feature and 78 will be reported until the next ESR build (88) (i.e. in Fx 78 there is no difference in the reported Fx version).
The current Firefox 79 build is reported as Firefox 78 with RFP enabled.
This has nothing to do with the number. I'm running firefox on Linux, and the resistant UA should be "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0".
That is what I get in the HTTP headers. like this: GET / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1
However, running a simple javascript in that same request will yield a completely wrong UA: alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : "");
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
It's leaking my OS which is not fingerprint resistant. Everything in window.navigator should be fingerprint resistant and it is not.
The Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 is a pretty generic UA compared to what UA's used to be. It used to have say the exact build date (and not 20100101) and the minor versions shown as for example Firefox 68.4.2 esr is shown as 68.0 and not 68.4.2 in UA.
They have decided not to spoof the platform when you enable "Resist Fingerprinting" to avoid issues when a website uses platform specific code, so only the version number is modified to the current ESR branch.
It is weird that the user agent string is different between the HTTP Header and the navigator object. Is this a "confusion to our enemies" strategy?
But the platform is already being spoofed in the HTTP header, why can't you at least make it an option to spoof the navigator object also, even if it might break some websites. better to be more resistance than not at all. a website would only have to compare the $_SERVER['HTTP_USER_AGENT'] string verses the navigator object useragent string to see it's spoofed, and that test itself increases the entropy of the fingerprint.
p54484c2qh said
But the platform is already being spoofed in the HTTP header, why can't you at least make it an option to spoof the navigator object also
After further exploration, I believe: the Web Console knows the truth, so you can't use that for your testing. Here's what I did:
I modified the UA on my Win10x64 to 32-bit Windows 7 by creating the string preference general.useragent.override with this value:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20100101 Firefox/77.0
Then I tested on https://www.jeffersonscher.com/res/jstest.php and got the expected result both for the header and JavaScript.
Then I turned on privacy.resistFingerprinting and checked the page again and got
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
for both.
Repeated with general.useragent.override set to
Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
with and without resistFingerprinting and got the same result.
Note: the spam link filter will divert your reply to moderation if you include any off-site URLs, so if you quote the above test address, it's normal for your post not to appear right away.
Sorry, I don't know why I thought this thread involved the Web Console. Must be reading too many threads at the same time.
Upon further review, I noticed a difference with the UAs:
UA override:
- Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20100101 Firefox/77.0
- Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
HTTP Header: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Javascript: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
That's weird.
It is also true, so both of our Firefox's report the true OS.
Modified
According to bug comments (1653328#c1, 1650427#c2) this difference is intentional and is driven by experience of Tor users with site breakage and ability of scripts to determine your OS in other ways anyway.
I always thought that FF was more customizable then it really is. That is disappointing especially since I don't use Tor.
p54484c2qh said
I always thought that FF was more customizable then it really is.
What are you trying to customize?
In my view, the privacy.resistFingerprinting feature bundles a bunch of changes that I haven't seen proven to work, possibly because not very many people use it: it's difficult for those with altered responses to blend in with a crowd if there's no crowd. If there are particular things you want to control, I suggest finding ways to control those specific things instead of using the bundled approach.