[tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 24 18:28:57 UTC 2019 

#30605: accept-language header leaks browser localization
--------------------------------------+--------------------------
 Reporter:  sysrqb                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile, tbb-parity    |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by gk):

 * keywords:  tbb-mobile => tbb-mobile, tbb-parity


Comment:

 Replying to [comment:3 sysrqb]:
 > Replying to [comment:2 acat]:
 > > I think what happens in desktop (with lang other than en-US) is that
 on first navigation there is the prompt asking whether to spoof to
 english, if the user accepts then it sets the `privacy.spoof_english =  2`
 pref. Then, the pref listener in
 `toolkit/components/resistfingerprinting/RFPHelper.jsm` sets the
 `intl.accept_languages = en-US,en`. In Android I don't see
 `privacy.spoof_english` pref, and then even if set manually to 2,
 `intl.accept_languages` is not changed. I wonder what is failing here...
 Changing `intl.accept_languages = en-US,en` manually works, and then the
 `accept-language` header is spoofed correctly.
 >
 > Ah, thanks! That sounds like something we want on Android, too. It seems
 it was only [https://gitweb.torproject.org/tor-
 browser.git/commit/?h=6806c911a3b9e5d878af4f99cddebadc0ba12808
 implemented] on Desktop (not surprisingly). I wonder what we should do on
 Android. Maybe we should start with always spoofing the header for now,
 and implement a better fix later?

 I am inclined to say "no" as the usability issues are potentially quite
 severe. There are a bunch of ways to get the browser locale (we still have
 some open for desktop) even though header spoofing *is* active (see e.g.
 #30304). So the benefit might not be as expected (this is *not* meant in
 the sense that we should not fix it because there are other ways to obtain
 the locale).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30605#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list