accept-language header leaks browser localization
A blog user mentions each request includes the chosen browser language. Do we normalize this on desktop such that we only send en-US
regardless of the browser's localization?
Using https://wtfismyip.com/headers
With en-US
as the browser locale:
host: wtfismyip.com
connection: close
user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101 Firefox/60.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1
With ru-RU
as the browser locale:
host: wtfismyip.com
connection: close
user-agent: Mozilla/5.0 (Android 6.0; Mobile; rv:60.0) Gecko/20100101 Firefox/60.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: ru,ru-RU;q=0.8,en-US;q=0.5,en;q=0.3
accept-encoding: gzip, deflate, br
upgrade-insecure-requests: 1