[tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon May 27 14:50:39 UTC 2019


#30605: accept-language header leaks browser localization
--------------------------------------+--------------------------
 Reporter:  sysrqb                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-mobile, tbb-parity    |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by sysrqb):

 Replying to [comment:4 gk]:
 > Replying to [comment:3 sysrqb]:
 [snip]
 > > I wonder what we should do on Android. Maybe we should start with
 always spoofing the header for now, and implement a better fix later?
 >
 > I am inclined to say "no" as the usability issues are potentially quite
 severe. There are a bunch of ways to get the browser locale (we still have
 some open for desktop) even though header spoofing *is* active (see e.g.
 #30304). So the benefit might not be as expected (this is *not* meant in
 the sense that we should not fix it because there are other ways to obtain
 the locale).

 Maybe we should add a warning/notification somewhere? Maybe we should
 check the current locale when the app starts and show a warning if
 `locale` != `en-US`? It makes me a little uncomfortable that we default to
 `en-US`, but I don't have a better answer right now.

 From a usability perspective, we should sending the correct language
 header.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30605#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list