Skip to content

MB 234: Disable OS spoofing in HTTP User-Agent.

Merge Info

Related Issues



  • Immediate: patchset needed as soon as possible
  • Next Minor Stable Release: patchset that needs to be verified in nightly before backport
  • Eventually: patchset that needs to be verified in alpha before backport
  • No Backport (preferred): patchset for the next major stable

(Optional) Justification

  • Emergency security update: patchset fixes CVEs, 0-days, etc
  • Critical bug-fix: patchset fixes a bug in core-functionality
  • Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
  • Sponsor required: patchset required for sponsor
  • Localization: typos and other localization changes that should be also in the release branch
  • Other: please explain


  • Merge to mullvad-browser - !fixups to mullvad-browser-specific commits, new features, security backports
  • Merge to base-browser -!fixups to base-browser-specific commits, new features to be shared with tor-browser
    • NOTE: if your changeset includes patches to both base-browser and mullvad-browser please clearly label in the change description which commits should be cherry-picked to base-browser after merging

Issue Tracking


Request Reviewer

  • Request review from an applications developer depending on modified system:
    • firefox internals (XUL/JS/XPCOM) : @ma1 (it's my first C++ pref observer)
    • security : @ma1 (fingerprinting?)
    • second reviewer : @richard (C++ patch with non-trivial memory stuff)

Change Description

The UX in some sites break because of the inconsistency of HTTP's User-Agent and navigator.userAgent.

This patch makes them consistent, to see how things change for users.

It doesn't handle the security level for a few reasons:

  • security level isn't about privacy/fingerprinting, in the old threat model, I don't know about the new one
  • someone says hiding the OS is hard even without JS
  • this patch is MB-only (but we can set a non-existent pref if needed in TB 😉)

How Tested

  1. Search "my user agent" on duck duck go: it will dump some headers, including UA
  2. Checked that flipping the new pref makes the UA change
  3. Checked that we don't have crashes at shutdown because I've used the weak observer (but we can discuss more about this)

Related to #234 (closed)

Merge request reports