[tbb-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 24 15:47:27 UTC 2019 

#30605: accept-language header leaks browser localization
--------------------------------------+--------------------------
 Reporter:  sysrqb                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Description changed by sysrqb:

Old description:

> A [https://blog.torproject.org/comment/281830#comment-281830 blog user]
> mentions each request includes the chosen browser language. Do we
> normalize this on desktop such that we only send `en-US` regardless of
> the browser's localization?
>
> Using https://wtfismyip.com/headers
>
> With `en-US` as the browser locale:
> {{{
> host: wtfismyip.com
> connection:
> close user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0)
> Gecko/20100101 Firefox/60.0
> accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> accept-language: en-US,en;q=0.5
> accept-encoding: gzip, deflate, br
> upgrade-insecure-requests: 1
> }}}
>

> With `ru-RU` as the browser locale:
> {{{
> host: wtfismyip.com
> connection: close
> user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101
> Firefox/60.0
> accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> accept-language: ru,ru-RU;q=0.8,en-US;q=0.5,en;q=0.3
> accept-encoding: gzip, deflate, br
> upgrade-insecure-requests: 1
> }}}

New description:

 A [https://blog.torproject.org/comment/281830#comment-281830 blog user]
 mentions each request includes the chosen browser language. Do we
 normalize this on desktop such that we only send `en-US` regardless of the
 browser's localization?

 Using https://wtfismyip.com/headers

 With `en-US` as the browser locale:
 {{{
 host: wtfismyip.com
 connection: close
 user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101
 Firefox/60.0
 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 accept-language: en-US,en;q=0.5
 accept-encoding: gzip, deflate, br
 upgrade-insecure-requests: 1
 }}}


 With `ru-RU` as the browser locale:
 {{{
 host: wtfismyip.com
 connection: close
 user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101
 Firefox/60.0
 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 accept-language: ru,ru-RU;q=0.8,en-US;q=0.5,en;q=0.3
 accept-encoding: gzip, deflate, br
 upgrade-insecure-requests: 1
 }}}

--

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30605#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list