HTTP_ACCEPT leaks locale

[reezer]

It appears that Orweb leaks the phone locale in HTTP_ACCEPT headers, even if the locale is set. Since the locale is, especially for smaller countries a good identifier (https://panopticlick.eff.org/) it makes it easier for an attacker to guess a visitors real identity.

[dillbyrne]

Confirmed here. I recommend setting the default to match firefox . I have a list of browser profiles including accept headers for many browsers at https://github.com/dillbyrne/random-agent-spoofer/blob/master/data/json/useragents.json for reference .

For the language header I would suggest a using en-US as the default it is the most common and therefore the most effective for blending in. If a user wanted to use en-GB, en-CA or others for example these options could be provided in the locale dropdown but they would have to be chosen.

[reezer]

I think these are two different issues:

One is that small country problem. This can be fixed by setting defaults. I am not sure, but it always seem to be English all the time anyway (for the User Agent).

The other issue is that HTTP_ACCEPT does not match this setting.

[hughobrien]

An option to configure the exact contents of the HTTP headers, including the accepted data formats would be useful. In particular, I leak en-IE, which is very identifying.