Bug #16029
Tor Browser leaks locale in HTTP_ACCEPT Headers
100%
Description
Using Panopticlick, we get this HTTP_ACCEPT Headers using the default US English locale:
text/html, */*; q=0.01 gzip, deflate, br en-US,en;q=0.5
but this with French:
text/html, */*; q=0.01 gzip, deflate, br fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
In the non-English Tor Browsers when used outside of Tails you are asked about whether you want to leak this (for a localized web experience). But I guess we still want to spoof as US English for all?
Related issues
Associated revisions
Set the firefox preferences to spoof English (refs: #16029)
These are set when privacy.spoof_english is changed to 2, but not if it
is already set to 2 when firefox is started. So we set them ourselves to
fix the spoofing.
Merge branch 'bugfix/16029-fix-spoof-english+force-all-tests' into stable (Fix-committed: #16029)
History
#1 Updated by anonym 5 months ago
- Related to Feature #15506: Core work 2018Q4: Foundations Team added
#4 Updated by anonym 5 months ago
So the spoofing has been uplifted from Torbutton to Firefox. The pref is privacy.spoof_english
, with (from Tor Browser sources, browser/app/profile/firefox.js
):
// 0 - will prompt // 1 - don't spoof // 2 - spoof
So we should set it to 2... but it already is according to
about:config
in both Tails 3.9 and 3.9.1 (picked German in the Greeter).
Those settings do what they are supposed to in Tor Browser outside of Tails, but when set to 1 or 2 they are always "User set" (user_pref(...)
), but in Tails we change the default to 2. We've seen buggy prefs before that behave differently for the same value depending if they are set via a default or user set.
#5 Updated by intrigeri 5 months ago
- Related to deleted (Feature #15506: Core work 2018Q4: Foundations Team)
#6 Updated by intrigeri 5 months ago
- Blocks Feature #15506: Core work 2018Q4: Foundations Team added
#11 Updated by segfault 4 months ago
- Feature Branch changed from bugfix/16029-fix-spoof-english to bugfix/16029-fix-spoof-english+force-all-tests
intrigeri wrote:
FYI most automated tests involving Tor Browser are tagged
fragile
so they won't run on Jenkins unless your branch's name has the+force-all-tests
suffix.
Thanks, I added the suffix
#16 Updated by segfault 4 months ago
I took a look at the code today. The only place I could find where the spoofing is applied is here, in LanguagePrompt.jsm. There it seems like the spoofing is only applied if the preference is changed, so it doesn't matter what the value is when firefox is started.
This is consistent with the behavior I see: If I manually change the setting to 1
and then back to 2
, the spoofing is enabled.
I also noticed that when the spoofing is applied, it actually only sets two other preferences. I guess if we would set these in config/chroot_local-includes/etc/tor-browser/profile/prefs.js
, we could enable the spoofing again.
#17 Updated by segfault 4 months ago
- Assignee set to intrigeri
- QA Check set to Ready for QA
segfault wrote:
I also noticed that when the spoofing is applied, it actually only sets two other preferences. I guess if we would set these in
config/chroot_local-includes/etc/tor-browser/profile/prefs.js
, we could enable the spoofing again.
I also tried to change these settings in config/chroot_local-includes/usr/share/tails/tor-browser-prefs.js
, but had no effect. It only works if they are set in config/chroot_local-includes/etc/tor-browser/profile/prefs.js
. I pushed a commit which does that.