[tbb-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 24 17:42:39 UTC 2019
#30605: accept-language header leaks browser localization
--------------------------------------+--------------------------
Reporter: sysrqb | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by sysrqb):
* keywords: => tbb-mobile
Comment:
Replying to [comment:2 acat]:
> I think what happens in desktop (with lang other than en-US) is that on
first navigation there is the prompt asking whether to spoof to english,
if the user accepts then it sets the `privacy.spoof_english = 2` pref.
Then, the pref listener in
`toolkit/components/resistfingerprinting/RFPHelper.jsm` sets the
`intl.accept_languages = en-US,en`. In Android I don't see
`privacy.spoof_english` pref, and then even if set manually to 2,
`intl.accept_languages` is not changed. I wonder what is failing here...
Changing `intl.accept_languages = en-US,en` manually works, and then the
`accept-language` header is spoofed correctly.
Ah, thanks! That sounds like something we want on Android, too. It seems
it was only [https://gitweb.torproject.org/tor-
browser.git/commit/?h=6806c911a3b9e5d878af4f99cddebadc0ba12808
implemented] on Desktop (not surprisingly). I wonder what we should do on
Android. Maybe we should start with always spoofing the header for now,
and implement a better fix later?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30605#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list