Bug 42349: Workaround to fix the leak of regional locales

Merge Info

Related Issues

• #42349 (closed) #42771 (closed) - do not close yet at least one of the two!
• mullvad-browser#xxxxx
• tor-browser-build#xxxxx

Backporting

Timeline

• Immediate: patchset needed as soon as possible
• Next Minor Stable Release: patchset that needs to be verified in nightly before backport
• Eventually: patchset that needs to be verified in alpha before backport
• No Backport (preferred): patchset for the next major stable

(Optional) Justification

• Emergency security update: patchset fixes CVEs, 0-days, etc
• Censorship event: patchset enables censorship circumvention
• Critical bug-fix: patchset fixes a bug in core-functionality
• Consistency: patchset which would make development easier if it were in both the alpha and release branches; developer tools, build system changes, etc
• Sponsor required: patchset required for sponsor
• Localization: typos and other localization changes that should be also in the release branch
• Other: please explain

Merging

• Merge to tor-browser - !fixups to tor-browser-specific commits, new features, security backports
• Merge to base-browser - !fixups to base-browser-specific commits, new features to be shared with mullvad-browser, and security backports
  • NOTE: if your changeset includes patches to both base-browser and tor-browser please clearly label in the change description which commits should be cherry-picked to base-browser after merging

Issue Tracking

• Link resolved issues with appropriate Release Prep issue for changelog generation
  • This is a workaround! The leak will be fixed, but I don't know what we should put in the changelogs!

Review

Request Reviewer

• Request review from an applications developer depending on modified system:
  • NOTE: if the MR modifies multiple areas, please /cc all the relevant reviewers (since gitlab only allows 1 reviewer)
  • accessibility : henry
  • android : clairehurst, dan
  • build system : boklm
  • extensions : ma1
  • firefox internals (XUL/JS/XPCOM) : jwilde, ma1
  • fonts : pierov
  • frontend (implementation) : henry
  • frontend (review) : donuts, richard
  • localization : henry, pierov
  • macOS : clairehurst, dan
  • nightly builds : boklm
  • rebases/release-prep : dan, ma1, pierov, richard
  • security : jwilde, ma1
  • signing : boklm, richard
  • updater : pierov
  • windows : jwilde, richard
  • misc/other : pierov, richard

Maybe @henry, since it's enough related to localization, but feel free to reassign if you think someone else should review.

Change Description

While reviewing #42771 (closed), I discovered that RFPTarget::JSLocale doesn't work like other targets: privacy.resistFingerprinting isn't enough for it, privacy.spoof_english must be set to 2!

But the protection for regional locales is needed when we don't use spoof English 🙈.

So, as a workaround I changed it with the timezone (well, not spoofing the region also helps with the timezone 🙂).

I think we could merge this and discuss with upstream on a proper fix (since we had a Bug that has been open for a too long time about uplifting this protection).

How Tested

Testbuilds for Linux and Windows x86_64: https://tb-build-03.torproject.org/~pierov/torbrowser/nightly/tbb-nightly.2024.08.08/

You need to set your OS to a language that is a regional variation of the lang we support (e.g., en-GB, es-AR, it-CH, etc...). On Linux you can prepend LANG=en_GB.UTF-8 to ./start-tor-browser for example and check on TZP that the various locales are the ones we have languages for (en-US, es-ES, it, respectively, for the aforementioned example).