#30605: accept-language header leaks browser localization --------------------------------------+-------------------------- Reporter: sysrqb | Owner: tbb-team Type: defect | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-mobile, tbb-parity | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+--------------------------
Comment (by sysrqb): Replying to [comment:4 gk]: > Replying to [comment:3 sysrqb]: [snip] > > I wonder what we should do on Android. Maybe we should start with always spoofing the header for now, and implement a better fix later? > > I am inclined to say "no" as the usability issues are potentially quite severe. There are a bunch of ways to get the browser locale (we still have some open for desktop) even though header spoofing *is* active (see e.g. #30304). So the benefit might not be as expected (this is *not* meant in the sense that we should not fix it because there are other ways to obtain the locale). Maybe we should add a warning/notification somewhere? Maybe we should check the current locale when the app starts and show a warning if `locale` != `en-US`? It makes me a little uncomfortable that we default to `en-US`, but I don't have a better answer right now. From a usability perspective, we should sending the correct language header. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30605#comment:5> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs