Prevent navigator/gecko.buildID leaks

pyllyukko / user.js

user.js -- Firefox configuration hardening

MIT License

2.76k stars 232 forks source link

Prevent navigator/gecko.buildID leaks #117

Closed nodiscc closed 8 years ago

nodiscc commented 8 years ago

https://bugzilla.mozilla.org/show_bug.cgi?id=583181 https://www.browserleaks.com/javascript#comments http://browserspy.dk/showprop.php

pyllyukko commented 8 years ago

This is definitely a problem, yes. Firefox doesn't seem to respect gecko.buildID ~~or any of the other settings~~ :/

nodiscc commented 8 years ago

I can confirm that changing the *.buildID settings has no effect.

Random Agent Spoofer did not work for me, original Build ID is always visible to https://www.browserleaks.com/javascript

pyllyukko commented 8 years ago

Try now? :)

nodiscc commented 8 years ago

@pyllyukko your fix does not work for me (original buildID still displayed)

@CHEF-KOCH I can confirm that Random Agent spoofer does not affect the Build ID value on the test page for me (all script injection options enabled). I'm trying to locate where the lockPrefs file should reside, http://kb.mozillazine.org/Locking_preferences only describes locking for the Windows platform. I've tried ~/.mozilla/firefox/*/, /usr/share/iceweasel/{pref,profile} without results.

Iceweasel 44.0.2-1 on Debian GNU/Linux stretch/sid

Please reopen?

@fmarier any clue?

pyllyukko commented 8 years ago

Please reopen?

Will do.

pyllyukko commented 8 years ago

@pyllyukko your fix does not work for me (original buildID still displayed)

That's odd.

Iceweasel 44.0.2-1 on Debian GNU/Linux stretch/sid

Seems to work on my Debian 8 + Iceweasel 38.6.1. I wonder what's up?!

icew-4343-2

nodiscc commented 8 years ago

I will retry with a freshly created profile.

nodiscc commented 8 years ago

Confirmed in newly created profile

$ apt-cache policy iceweasel
iceweasel:
  Installed: 45.0~b5-1
  Candidate: 45.0~b5-1
  Version table:
 *** 45.0~b5-1 700
          1 http://ftp.fr.debian.org/debian experimental/main amd64 Packages
        100 /var/lib/dpkg/status
     44.0.2-1 600
        500 http://ftp.fr.debian.org/debian stretch/main amd64 Packages
        200 http://ftp.fr.debian.org/debian unstable/main amd64 Packages
$ git clone https://github.com/pyllyukko/user.js
$ firefox --no-remote -P #create profile, exit
$ cp user.js/user.js ~/.mozilla/firefox/
$ cp user.js/user.js ~/.mozilla/firefox/*.mynewprofile/
$ firefox --no-remote -P #run with mynewprofile, go to http://browserspy.dk/showprop.php
#page shows buildID 20160214103951

May it be an iceweasel-specific bug? Is someone able to reproduce with Iceweasel/Firefox/another branding?

pyllyukko commented 8 years ago

It works on my Iceweasel (see the User-Agent on the screenshot).

$ apt-cache policy iceweasel
iceweasel:
  Installed: 38.7.0esr-1~deb8u1
  Candidate: 38.7.0esr-1~deb8u1
  Version table:
 *** 38.7.0esr-1~deb8u1 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     38.5.0esr-1~deb8u2 0
        500 http://ftp.funet.fi/pub/linux/mirrors/debian/ jessie/main amd64 Packages

nodiscc commented 8 years ago

Fixed in Firefox 45.1.0esr-1 in Debian (pref general.buildID.override now actually overrides the buildId)