70
edits
Changes
→User Agent
Boris Zbarsky points out that most parts of the UA lead to bad sniffing. Irish "ga-IE" and "Minef'''ie'''ld" get detected as IE. Sites incorrectly sniff based on OS. Sites sniff for Gecko years rather than Gecko versions. Going from 3.0.9 to 3.0.10 probably breaks things. And quite a few sites sniff for "Firefox", which is a threat to the continued freedom of the web. So removing things from the UA string has a long-term positive effect on compatibility as well as privacy.
:There is another issue with UA spoofing. For some reason, Components.classes and Components.interfaces exist in the content-window javascript namespace. Gregory Fleischer used this to test for the existence of ephemeral interfaces to [http://pseudo-flaw.net/tor/torbutton/fingerprint-firefox.html fingerprint both OS and Firefox version], down to the minor revision (FF3.5.3 was the latest release at the time). He has a [http://pseudo-flaw.net/content/defcon/dc-17-demos/ number of other fingerprinting demos] you should investigate as well. -- [[User:mikeperry|mikeperry]]
:Filed [https://bugzilla.mozilla.org/show_bug.cgi?id=http-fingerprint bugs]. [[User:Hsivonen|Hsivonen]] 09:33, 18 June 2010 (UTC)
