[tor-bugs] #30605 [Applications/Tor Browser]: accept-language header leaks browser localization
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon May 27 14:50:39 UTC 2019
#30605: accept-language header leaks browser localization
--------------------------------------+--------------------------
Reporter: sysrqb | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile, tbb-parity | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by sysrqb):
Replying to [comment:4 gk]:
> Replying to [comment:3 sysrqb]:
[snip]
> > I wonder what we should do on Android. Maybe we should start with
always spoofing the header for now, and implement a better fix later?
>
> I am inclined to say "no" as the usability issues are potentially quite
severe. There are a bunch of ways to get the browser locale (we still have
some open for desktop) even though header spoofing *is* active (see e.g.
#30304). So the benefit might not be as expected (this is *not* meant in
the sense that we should not fix it because there are other ways to obtain
the locale).
Maybe we should add a warning/notification somewhere? Maybe we should
check the current locale when the app starts and show a warning if
`locale` != `en-US`? It makes me a little uncomfortable that we default to
`en-US`, but I don't have a better answer right now.
From a usability perspective, we should sending the correct language
header.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30605#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list