[tbb-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 24 17:42:39 UTC 2019

#30605: accept-language header leaks browser localization
 Reporter:  sysrqb                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile                |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
Changes (by sysrqb):

 * keywords:   => tbb-mobile


 Replying to [comment:2 acat]:
 > I think what happens in desktop (with lang other than en-US) is that on
 first navigation there is the prompt asking whether to spoof to english,
 if the user accepts then it sets the `privacy.spoof_english =  2` pref.
 Then, the pref listener in
 `toolkit/components/resistfingerprinting/RFPHelper.jsm` sets the
 `intl.accept_languages = en-US,en`. In Android I don't see
 `privacy.spoof_english` pref, and then even if set manually to 2,
 `intl.accept_languages` is not changed. I wonder what is failing here...
 Changing `intl.accept_languages = en-US,en` manually works, and then the
 `accept-language` header is spoofed correctly.

 Ah, thanks! That sounds like something we want on Android, too. It seems
 it was only [https://gitweb.torproject.org/tor-
 implemented] on Desktop (not surprisingly). I wonder what we should do on
 Android. Maybe we should start with always spoofing the header for now,
 and implement a better fix later?

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30605#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list