Skip to content

Race condition with language preferences may make spoof_english ineffective

As originally reported on HackerOne:

Summary: Enabling 'Request English versions of web pages for enhanced privacy' in 'Choose your preferred language for displaying pages' continues to use the grayed out settings for JS and HTTP language preferences. This affects navigator.language, navigator.languages, but also Accept-Language.

Steps To Reproduce:

  • Change the list of languages in the browser preference 'Choose your preferred language for displaying pages', for example add a new language or reorder the list of languages.

  • From the same menu, enable 'Request English versions of web pages for enhanced privacy'. This will gray out the reconfiguration in step 1. Verify if the setting in step 2 took place by checking navigator.language, navigator.languages and Accept-Language.

The original analysis is a bit misleading: this bug does not impact anyone that has previously changed their language settings, as stated, because flipping the privacy.spoof_english preference does actually reset intl.accept_languages to "en-US, en" (the remedy suggested by the reporter).

However this correct behavior gets broken when user changes their languages preferences and immediately checks the Request English versions of web pages for enhanced privacy box, because the preferences aren't necessarily saved in the correct order, and this way you can end with both English spoofing allegedly enabled and a custom language being used nonetheless.

So it's more an edge case than what the original report suggests, but absolutely worth fixing by ensuring the preferences are saved in the correct order (and possibly adding some sanity check at startup).

Not confidential because a fingerprinting adversary gains no additional advantage from knowing about this bug (they're surely already collecting language data), while users are in a better position knowing about this problem until it's fixed.