Hello, UA string fans! I propose that Firefox's UA string on Windows and
Linux omit the browser and OS architectures to reduce UA fingerprinting
entropy (and save a few header bytes).
I have tentative thumbs up from some webcompat and privacy people, but
as there is no official module owner for User-Agent string at this time,
I wanted to get some wider feedback here.
The primary use case for including OS architecture (Win32, Win64) and
version in the UA string is to allow software download sites to offer
compatible software. A second use case I've heard is for websites to
workaround platform bugs or serve a page design to match the OS theme,
but I have not seen real examples of this.
The UA string on Windows and Linux currently reveals both the browser
and OS architectures:
* 32-bit Firefox on 32-bit OS: "Windows", "Linux i686" or armv7l
* 32-bit Firefox on 64-bit OS: "WOW64", "Linux i686 on x86_64"
* 64-bit Firefox on 64-bit OS: "Win64", "Linux x86_64" or aarch64
I propose that Win64 and WOW64 use the unadorned Windows UA already used
by Firefox on x86 and AArch64 Windows:
< "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101
Firefox/66.0"
> "Mozilla/5.0 (Windows NT 10.0; rv:66.0) Gecko/20100101 Firefox/66.0"
And that Linux omit the OS architecture entirely (like Firefox on
Android or always spoof "i686" if an architecture token is needed for UA
parsing webcompat):
< "Mozilla/5.0 (X11; Linux i686 on x86_64; rv:66.0) Gecko/20100101
Firefox/66.0"
> "Mozilla/5.0 (X11; Linux; rv:66.0) Gecko/20100101 Firefox/66.0"
If a software download site doesn't see "Win64" or "WOW64" in the UA
string, it might serve a Win32 x86 executable to a Win64 OS user. The
x86 executable would still be compatible, just not optimal. (Firefox and
Chrome don't have this problem because they ship smart stub installers.)
Linux users are unlikely to download much software from sites that sniff
their OS architecture, so omitting it should be safe.
If a site *really* wants to detect the client's browser or OS
architecture, it can use Flash APIs or detect known differences between
Firefox's 32-bit and 64-bit JavaScript Math functions [1].
If we think allowing software download sites to sniff and serve Win64
executables is important, we can include the OS architecture but omit
the browser architecture (i.e. report "Win64" instead of "WOW64"). Sites
don't need to know whether the user is running a x86 or x86_64 browser
on their Win64 OS.
I propose no change to the macOS UA string at this time. Removing
"Intel" now would not reduce any fingerprinting entropy (all modern Macs
are x86_64) and might risk confusing some UA string parsers. If AArch64
MacBooks become a real platform, I propose we then remove "Intel" so
x86_64 and AArch64 macOS would have the same UA string:
< "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0) Gecko/20100101
Firefox/66.0"
> "Mozilla/5.0 (Macintosh; Mac OS X 10.14; rv:66.0) Gecko/20100101
Firefox/66.0".
Here is a spreadsheet comparing UA strings of different browser and OS
architectures:
https://docs.google.com/spreadsheets/d/1I--o6uYWUkBw05IP964Ee2aZCf67P9E3TxpuDawH4_I/edit#gid=0
[1] https://github.com/ghacksuserjs/ghacks-user.js/issues/657
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
