Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Learn More

FF is leaking my User Agent with privacy.resistFingerprinting=true

  • 15 trả lời
  • 1 gặp vấn đề này
  • 28 lượt xem
  • Trả lời mới nhất được viết bởi jscher2000

more options

I have privacy.resistFingerprinting set to true, and the HTTP_USERAGENT field comes out as fingerprint resistant, but the javascript object "window.navigator" still leaks the non-resistant UA. Simple demo code is listed below.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Leaked User Agent</title>
<script>
alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : "");
</script>
</head>
<body>
</body>
</html>

Được chỉnh sửa bởi cor-el vào

Tất cả các câu trả lời (15)

more options

This code doesn't show any issue for me. I have Firefox/80 and in privacy mode it gives me Firefox/78, so everything's OK.

Hữu ích?

more options

With privacy.resistFingerprinting = true you should get a Firefox ESR user agent (68 in the current release, but this will soon change to 78).

Hữu ích?

more options

Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Something tells me this is NOT a resistant UA

Hữu ích?

more options

Is there anyway to fix this problem?

Hữu ích?

more options

I'm not sure what is wrong.
Firefox 78 is a turn point because 78 is the next ESR build (current is 68 ESR) and this 78 ESR build is chosen in Firefox 78 for the "Resist Fingerprinting" feature and 78 will be reported until the next ESR build (88) (i.e. in Fx 78 there is no difference in the reported Fx version).
The current Firefox 79 build is reported as Firefox 78 with RFP enabled.

Hữu ích?

more options

This has nothing to do with the number. I'm running firefox on Linux, and the resistant UA should be "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0".

That is what I get in the HTTP headers. like this: GET / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1

However, running a simple javascript in that same request will yield a completely wrong UA: alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : "");

Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

It's leaking my OS which is not fingerprint resistant. Everything in window.navigator should be fingerprint resistant and it is not.

Hữu ích?

more options

The Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 is a pretty generic UA compared to what UA's used to be. It used to have say the exact build date (and not 20100101) and the minor versions shown as for example Firefox 68.4.2 esr is shown as 68.0 and not 68.4.2 in UA.

Hữu ích?

more options

They have decided not to spoof the platform when you enable "Resist Fingerprinting" to avoid issues when a website uses platform specific code, so only the version number is modified to the current ESR branch.

Hữu ích?

more options

It is weird that the user agent string is different between the HTTP Header and the navigator object. Is this a "confusion to our enemies" strategy?

Hữu ích?

more options

But the platform is already being spoofed in the HTTP header, why can't you at least make it an option to spoof the navigator object also, even if it might break some websites. better to be more resistance than not at all. a website would only have to compare the $_SERVER['HTTP_USER_AGENT'] string verses the navigator object useragent string to see it's spoofed, and that test itself increases the entropy of the fingerprint.

Hữu ích?

more options

p54484c2qh said

But the platform is already being spoofed in the HTTP header, why can't you at least make it an option to spoof the navigator object also

After further exploration, I believe: the Web Console knows the truth, so you can't use that for your testing. Here's what I did:

I modified the UA on my Win10x64 to 32-bit Windows 7 by creating the string preference general.useragent.override with this value:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20100101 Firefox/77.0

Then I tested on https://www.jeffersonscher.com/res/jstest.php and got the expected result both for the header and JavaScript.

Then I turned on privacy.resistFingerprinting and checked the page again and got

Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

for both.

Repeated with general.useragent.override set to

Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

with and without resistFingerprinting and got the same result.

Note: the spam link filter will divert your reply to moderation if you include any off-site URLs, so if you quote the above test address, it's normal for your post not to appear right away.

Hữu ích?

more options

Sorry, I don't know why I thought this thread involved the Web Console. Must be reading too many threads at the same time.

Upon further review, I noticed a difference with the UAs:

UA override:

  1. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20100101 Firefox/77.0
  2. Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

HTTP Header: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Javascript: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

That's weird.

It is also true, so both of our Firefox's report the true OS.

Được chỉnh sửa bởi jscher2000 vào

Hữu ích?

more options

According to bug comments (1653328#c1, 1650427#c2) this difference is intentional and is driven by experience of Tor users with site breakage and ability of scripts to determine your OS in other ways anyway.

Hữu ích?

more options

I always thought that FF was more customizable then it really is. That is disappointing especially since I don't use Tor.

Hữu ích?

more options

p54484c2qh said

I always thought that FF was more customizable then it really is.

What are you trying to customize?

In my view, the privacy.resistFingerprinting feature bundles a bunch of changes that I haven't seen proven to work, possibly because not very many people use it: it's difficult for those with altered responses to blend in with a crowd if there's no crowd. If there are particular things you want to control, I suggest finding ways to control those specific things instead of using the bundled approach.

Hữu ích?

Đặt một câu hỏi

Bạn phải đăng nhập vào tài khoản của bạn để trả lời bài viết. Vui lòng bắt đầu một câu hỏi mới, nếu bạn chưa có tài khoản.