Skip to content

GitLab

Explore

Sign in

The Tor Project
Applications
Mullvad Browser
Merge requests
!109

MB 234: Disable OS spoofing in HTTP User-Agent.

Review changes
Download
Patches
Plain diff

Pier Angelo Vendrame requested to merge pierov/mullvad-browser:234-mb-spoof-os-ua into mullvad-browser-115.8.0esr-13.5-1 Feb 28, 2024

Overview 11
Commits 3
Changes 3

Merge Info

Related Issues

tor-browser#xxxxx
#234 (closed)
tor-browser-build#xxxxx

Backporting

Timeline

Immediate: patchset needed as soon as possible
Next Minor Stable Release: patchset that needs to be verified in nightly before backport
Eventually: patchset that needs to be verified in alpha before backport
No Backport (preferred): patchset for the next major stable

(Optional) Justification

Emergency security update: patchset fixes CVEs, 0-days, etc
Critical bug-fix: patchset fixes a bug in core-functionality
Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
Sponsor required: patchset required for sponsor
Localization: typos and other localization changes that should be also in the release branch
Other: please explain

Merging

Merge to mullvad-browser - !fixups to mullvad-browser-specific commits, new features, security backports
Merge to base-browser -!fixups to base-browser-specific commits, new features to be shared with tor-browser
- NOTE: if your changeset includes patches to both base-browser and mullvad-browser please clearly label in the change description which commits should be cherry-picked to base-browser after merging

Issue Tracking

Link resolved issues with appropriate Release Prep issue for changelog generation

Review

Request Reviewer

Request review from an applications developer depending on modified system:
- firefox internals (XUL/JS/XPCOM) : @ma1 (it's my first C++ pref observer)
- security : @ma1 (fingerprinting?)
- second reviewer : @richard (C++ patch with non-trivial memory stuff)

Change Description

The UX in some sites break because of the inconsistency of HTTP's User-Agent and navigator.userAgent.

This patch makes them consistent, to see how things change for users.

It doesn't handle the security level for a few reasons:

security level isn't about privacy/fingerprinting, in the old threat model, I don't know about the new one
someone says hiding the OS is hard even without JS
this patch is MB-only (but we can set a non-existent pref if needed in TB 😉)

How Tested

Search "my user agent" on duck duck go: it will dump some headers, including UA
Checked that flipping the new pref makes the UA change
Checked that we don't have crashes at shutdown because I've used the weak observer (but we can discuss more about this)

Related to #234 (closed)

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking