Opened 14 months ago

Last modified 9 months ago

#31504 needs_information defect

Disable

Reported by: cyperpunks Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

about:preferences#general - "Choose your preferred language for displaying pages"

There's a checkbox "Request English versions of web pages for enhanced privacy".

If you select it the language field become en-US,en while other Tor user have en,en-US. This makes this person unique than other users.

So please remove this option or force every Tor Browser user share same value.

Child Tickets

Change History (4)

comment:1 Changed 14 months ago by cyperpunks

Ugh forgot to edit title

comment:2 Changed 14 months ago by gk

Status: newneeds_information

What exactly is the bug here? That using the checkbox is giving you a different english intl.accept_languages value than using the "Choose your preferred language for displaying pages"?
But it should be generally allowed to set say "es-ES" in case this is needed as long as the headers looks the same to someone not spoofing the locale? Or should there be no option at all to try to change the locale of the website if needed?

(I'll fix up the title once it's clear what the bug report is)

comment:3 Changed 14 months ago by cypherpunks

He means en-US,en is not en,en-US.

comment:4 in reply to:  description Changed 9 months ago by Thorin

Replying to cyperpunks:

while other Tor user have en,en-US

AFAICT, this is incorrect. The default for en-US builds is en-US, en. Non en-US builds start with en-US, en and after the prompt (if you click yes *or* no) it stays as en-US, en. If you clicked yes, the language list is disabled. If you clicked no, the language list is enabled and you can add your preferred language

---

Flipping privacy.spoof_english from either about:config or by using the mentioned checkbox, also flips javascript.use_us_english_locale. And either way you do it, all but en-US, en in the language list is removed and the order is reset to en-US, en.

When spoof_english = 1, then users must be able to add their language etc: usability: the language list is enabled

When spoof_english = 2, the language list is disabled (and reset).

However, there is no such protection for en-US builds, because spoof_english is never used - this is where you easily change your fingerprint: i.e it is not locked down and I'm sure that this is where OP screwed it up

@gk ... could we tighten up en-US builds? ... your move! :)

Last edited 9 months ago by Thorin (previous) (diff)
Note: See TracTickets for help on using tickets.