On 5/11/2019 8:59 AM, Henri Sivonen wrote:
"Mozilla/5.0 (Windows NT 10.0; rv:66.0) Gecko/20100101 Firefox/66.0"
Would there be significant downsides to hard-coding the Windows
version to "10.0" in order to put Windows 7 and 8.x users in the same
anonymity set with Windows 10 users?
...
> Meanwhile, could we make the system version number "10.14" (or
> whatever is latest at a given point in time) regardless of actual
> version number to put all macOS users in the same anonymity set?
> (Curiously, despite Apple's privacy efforts, Safari exposes the third
> component of the OS version number. Also, it uses underscores instead
> of periods as the separator.)
Firefox spoofs the latest OS versions when the
privacy.resistFingerprinting pref is enabled (e.g. in Tor). I think
always spoofing the OS version is worth considering as a follow up task.
I'd like to limit the scope of this initial proposal just to CPU
architecture.
> It seems that for privacy reasons, we should claim the latest Android
> version for everyone even if it means introducing the recurring task
> of incrementing the number annually or so.
We've already bumped privacy.resistFingerprinting's spoofed OS versions
for new ESR versions, so this wouldn't be a burden:
https://bugzilla.mozilla.org/show_bug.cgi?id=1511434
Do we have indications if "Linux" is needed for Web compat? According
to
https://docs.google.com/spreadsheets/d/1I--o6uYWUkBw05IP964Ee2aZCf67P9E3TxpuDawH4_I/edit#gid=0
FreeBSD currently does not say "Linux". (Chrome on Chrome OS does not
say Linux, either, but does say "X11; ".) That is, could "X11; " alone
be sufficient for Web compat? (I'm happy to see that running Firefox
in Wayland mode still says "X11; ". Let's keep it that way!)
I don't know. Trimming the OS is worth considering as a follow up task.
Do we have an idea if distros would counteract Mozilla and restore the
CPU architecture if we removed it? Previous evidence suggests that
distros are willing to split the anonymity set for self-promotional
reasons by adding "; Ubuntu" or "; Fedora". Is there a similar distro
interest in exposing the CPU architecture?
I can try to contact some distro representatives and ask about them
exposing the CPU architecture.
https://docs.google.com/spreadsheets/d/1I--o6uYWUkBw05IP964Ee2aZCf67P9E3TxpuDawH4_I/edit#gid=0
suggests making Firefox on FreeBSD say "Linux". Are there indications
that the self-promotion interests of FreeBSD wouldn't override privacy
or Web compat benefits of saying "Linux"?
We can probably delegate that decision to the FreeBSD developers. I
shouldn't have included it because it's beyond the scope of my proposal
to remove CPU architecture.
I propose no change to the macOS UA string at this time. Removing
"Intel" now would not reduce any fingerprinting entropy (all modern Macs
are x86_64) and might risk confusing some UA string parsers. If AArch64
MacBooks become a real platform, I propose we then remove "Intel" so
x86_64 and AArch64 macOS would have the same UA string:
< "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101
Firefox/66.0"
> "Mozilla/5.0 (Macintosh; Mac OS X 10.14; rv:66.0) Gecko/20100101
Firefox/66.0".
Or they could have the same UA string by Aarch64 saying "Intel"...
I see that iOS Safari's UA reports "CPU iPhone" where macOS Safari
reports "Intel Mac OS X". Presumably Apple thought a placeholder UA
token (like "CPU") was needed instead of just "iPhone". I assume Apple
would use the same "CPU" placeholder for Safari on a hypothetical
AArch64 macOS. In the meantime, there's little value in removing "Intel".
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
