Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

FF is leaking my User Agent with privacy.resistFingerprinting=true

more options

I have privacy.resistFingerprinting set to true, and the HTTP_USERAGENT field comes out as fingerprint resistant, but the javascript object "window.navigator" still leaks the non-resistant UA. Simple demo code is listed below.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Leaked User Agent</title>
<script>
alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : "");
</script>
</head>
<body>
</body>
</html>

I have privacy.resistFingerprinting set to true, and the HTTP_USERAGENT field comes out as fingerprint resistant, but the javascript object "window.navigator" still leaks the non-resistant UA. Simple demo code is listed below. <pre><nowiki><!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>Leaked User Agent</title> <script> alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : ""); </script> </head> <body> </body> </html></nowiki></pre><br>

Modified by cor-el

All Replies (15)

more options

This code doesn't show any issue for me. I have Firefox/80 and in privacy mode it gives me Firefox/78, so everything's OK.

more options

With privacy.resistFingerprinting = true you should get a Firefox ESR user agent (68 in the current release, but this will soon change to 78).

more options

Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Something tells me this is NOT a resistant UA

more options

Is there anyway to fix this problem?

more options

I'm not sure what is wrong.
Firefox 78 is a turn point because 78 is the next ESR build (current is 68 ESR) and this 78 ESR build is chosen in Firefox 78 for the "Resist Fingerprinting" feature and 78 will be reported until the next ESR build (88) (i.e. in Fx 78 there is no difference in the reported Fx version).
The current Firefox 79 build is reported as Firefox 78 with RFP enabled.

more options

This has nothing to do with the number. I'm running firefox on Linux, and the resistant UA should be "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0".

That is what I get in the HTTP headers. like this: GET / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1

However, running a simple javascript in that same request will yield a completely wrong UA: alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : "");

Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

It's leaking my OS which is not fingerprint resistant. Everything in window.navigator should be fingerprint resistant and it is not.

more options

The Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 is a pretty generic UA compared to what UA's used to be. It used to have say the exact build date (and not 20100101) and the minor versions shown as for example Firefox 68.4.2 esr is shown as 68.0 and not 68.4.2 in UA.

more options

They have decided not to spoof the platform when you enable "Resist Fingerprinting" to avoid issues when a website uses platform specific code, so only the version number is modified to the current ESR branch.

more options

It is weird that the user agent string is different between the HTTP Header and the navigator object. Is this a "confusion to our enemies" strategy?

more options

But the platform is already being spoofed in the HTTP header, why can't you at least make it an option to spoof the navigator object also, even if it might break some websites. better to be more resistance than not at all. a website would only have to compare the $_SERVER['HTTP_USER_AGENT'] string verses the navigator object useragent string to see it's spoofed, and that test itself increases the entropy of the fingerprint.

more options

p54484c2qh said

But the platform is already being spoofed in the HTTP header, why can't you at least make it an option to spoof the navigator object also

After further exploration, I believe: the Web Console knows the truth, so you can't use that for your testing. Here's what I did:

I modified the UA on my Win10x64 to 32-bit Windows 7 by creating the string preference general.useragent.override with this value:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20100101 Firefox/77.0

Then I tested on https://www.jeffersonscher.com/res/jstest.php and got the expected result both for the header and JavaScript.

Then I turned on privacy.resistFingerprinting and checked the page again and got

Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

for both.

Repeated with general.useragent.override set to

Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

with and without resistFingerprinting and got the same result.

Note: the spam link filter will divert your reply to moderation if you include any off-site URLs, so if you quote the above test address, it's normal for your post not to appear right away.

more options

Sorry, I don't know why I thought this thread involved the Web Console. Must be reading too many threads at the same time.

Upon further review, I noticed a difference with the UAs:

UA override:

  1. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20100101 Firefox/77.0
  2. Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

HTTP Header: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Javascript: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

That's weird.

It is also true, so both of our Firefox's report the true OS.

Modified by jscher2000 - Support Volunteer

more options

According to bug comments (1653328#c1, 1650427#c2) this difference is intentional and is driven by experience of Tor users with site breakage and ability of scripts to determine your OS in other ways anyway.

more options

I always thought that FF was more customizable then it really is. That is disappointing especially since I don't use Tor.

more options

p54484c2qh said

I always thought that FF was more customizable then it really is.

What are you trying to customize?

In my view, the privacy.resistFingerprinting feature bundles a bunch of changes that I haven't seen proven to work, possibly because not very many people use it: it's difficult for those with altered responses to blend in with a crowd if there's no crowd. If there are particular things you want to control, I suggest finding ways to control those specific things instead of using the bundled approach.