harden languages fingerprint: JS / accept headers [1746815]
@pierov Fingerprinting
label please, TIA
about:preferences > language is not covered by RFP in any way (except when choosing to spoof english, after which it is no longer protected - spoof is a one off). Users can add additional languages and/or even just change the order of e.g. en-US,en
to en,en-US
(which has been revealed in another ticket that a user did)
With RFP, we can harden this to parse the preference intl.accept_languages
(which reflects the contents of about:preferences
> Language
> Choose your preferred language for displaying pages
> Choose
) for the first value, and to use this to return hardcoded values for both navigator.language, navigator.languages, and language accept header
I am pretty sure Mozilla has these all listed somewhere as the default settings per app language
for example: if first item is
-
en
oren-US
oren-GB
oren-CA
- useen-US,en
-
de
orde-DE
orde-AT
, orde-LI
orde-LU
orde-CH
- usede, en-US, en
-
?
various - usenb-no, nb, no-no, no, nn-no, nn, en-us, en
(if bokmal)- IDK why
en-us
is noten-US
, just reporting what the pref says in TB's nb-no build - there's two norwegians:
nb
bokmal, andnn
nynorsk (andno
norwegian), so I'm not 100% sure how you would reconcile e.g.no
orno-no
first
- IDK why
There's an open bugzilla on this 1746815, but only returning the first item is frought with compat issues. There's a reason there are additional language fallbacks.
This solution, detect the language (via pref or whatever) and use a hardcoded result (already listed somewhere) for navigator and accept headers would eliminate entropy here (and doesn't stop the user switching languages)
@tom FYI