为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

FF is leaking my User Agent with privacy.resistFingerprinting=true

more options

I have privacy.resistFingerprinting set to true, and the HTTP_USERAGENT field comes out as fingerprint resistant, but the javascript object "window.navigator" still leaks the non-resistant UA. Simple demo code is listed below.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Leaked User Agent</title>
<script>
alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : "");
</script>
</head>
<body>
</body>
</html>

I have privacy.resistFingerprinting set to true, and the HTTP_USERAGENT field comes out as fingerprint resistant, but the javascript object "window.navigator" still leaks the non-resistant UA. Simple demo code is listed below. <pre><nowiki><!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>Leaked User Agent</title> <script> alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : ""); </script> </head> <body> </body> </html></nowiki></pre><br>

由cor-el于修改

所有回复 (15)

more options

This code doesn't show any issue for me. I have Firefox/80 and in privacy mode it gives me Firefox/78, so everything's OK.

more options

With privacy.resistFingerprinting = true you should get a Firefox ESR user agent (68 in the current release, but this will soon change to 78).

more options

Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Something tells me this is NOT a resistant UA

more options

Is there anyway to fix this problem?

more options

I'm not sure what is wrong.
Firefox 78 is a turn point because 78 is the next ESR build (current is 68 ESR) and this 78 ESR build is chosen in Firefox 78 for the "Resist Fingerprinting" feature and 78 will be reported until the next ESR build (88) (i.e. in Fx 78 there is no difference in the reported Fx version).
The current Firefox 79 build is reported as Firefox 78 with RFP enabled.

more options

This has nothing to do with the number. I'm running firefox on Linux, and the resistant UA should be "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0".

That is what I get in the HTTP headers. like this: GET / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1

However, running a simple javascript in that same request will yield a completely wrong UA: alert(window.navigator && window.navigator.userAgent ? window.navigator.userAgent : "");

Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

It's leaking my OS which is not fingerprint resistant. Everything in window.navigator should be fingerprint resistant and it is not.

more options

The Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 is a pretty generic UA compared to what UA's used to be. It used to have say the exact build date (and not 20100101) and the minor versions shown as for example Firefox 68.4.2 esr is shown as 68.0 and not 68.4.2 in UA.

more options

They have decided not to spoof the platform when you enable "Resist Fingerprinting" to avoid issues when a website uses platform specific code, so only the version number is modified to the current ESR branch.

more options

It is weird that the user agent string is different between the HTTP Header and the navigator object. Is this a "confusion to our enemies" strategy?

more options

But the platform is already being spoofed in the HTTP header, why can't you at least make it an option to spoof the navigator object also, even if it might break some websites. better to be more resistance than not at all. a website would only have to compare the $_SERVER['HTTP_USER_AGENT'] string verses the navigator object useragent string to see it's spoofed, and that test itself increases the entropy of the fingerprint.

more options

p54484c2qh said

But the platform is already being spoofed in the HTTP header, why can't you at least make it an option to spoof the navigator object also

After further exploration, I believe: the Web Console knows the truth, so you can't use that for your testing. Here's what I did:

I modified the UA on my Win10x64 to 32-bit Windows 7 by creating the string preference general.useragent.override with this value:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20100101 Firefox/77.0

Then I tested on https://www.jeffersonscher.com/res/jstest.php and got the expected result both for the header and JavaScript.

Then I turned on privacy.resistFingerprinting and checked the page again and got

Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

for both.

Repeated with general.useragent.override set to

Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

with and without resistFingerprinting and got the same result.

Note: the spam link filter will divert your reply to moderation if you include any off-site URLs, so if you quote the above test address, it's normal for your post not to appear right away.

more options

Sorry, I don't know why I thought this thread involved the Web Console. Must be reading too many threads at the same time.

Upon further review, I noticed a difference with the UAs:

UA override:

  1. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20100101 Firefox/77.0
  2. Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0

HTTP Header: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Javascript: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

That's weird.

It is also true, so both of our Firefox's report the true OS.

由jscher2000 - Support Volunteer于修改

more options

According to bug comments (1653328#c1, 1650427#c2) this difference is intentional and is driven by experience of Tor users with site breakage and ability of scripts to determine your OS in other ways anyway.

more options

I always thought that FF was more customizable then it really is. That is disappointing especially since I don't use Tor.

more options

p54484c2qh said

I always thought that FF was more customizable then it really is.

What are you trying to customize?

In my view, the privacy.resistFingerprinting feature bundles a bunch of changes that I haven't seen proven to work, possibly because not very many people use it: it's difficult for those with altered responses to blend in with a crowd if there's no crowd. If there are particular things you want to control, I suggest finding ways to control those specific things instead of using the bundled approach.